Businesses pay for over-confidence in firewall protection

Businesses are falling victim to destructive computer viruses and hacking attacks because they wrongly assume that firewalls are...

Businesses are falling victim to destructive computer viruses and hacking attacks because they wrongly assume that firewalls are sufficient to protect their networks, the latest DTI Information Security Breaches Survey has revealed.

More than 33% of companies experienced hacking attempts on their websites last year, and 4% said their systems had been penetrated by hackers, the survey of 1,000 organisations found.

Yet more than 70% said they were satisfied with the security of their systems and were confident that they could detect and prevent security breaches.

"The mismatch between the level of confidence organisations have and the number of incidents they are experiencing is worrying. There is no evidence to show that confidence is justified," said Andrew Beard, security consultant at PricewaterhouseCoopers.

Over the past two years the number of successful hacks reported by businesses has doubled, with hacking attempts rising disproportionately for small businesses, the survey found.

The cost of investigating and remedying the problem, rather than loss of business or service disruption, topped the list of concerns for most organisations.

Twenty five per cent of companies took between two and 10 days of man-effort to repair their systems, and some took as many as 20 to 50 man-days.

Despite growing threats, the survey found that almost 50% of companies rely on firewalls as their only form of defence.

Only 14% of all organisations and 32% of large organisations scanned their networks for attacks and vulnerabilities. Just 8% of all organisations and 25% of large companies did penetration testing on their network gateways. Four per cent of businesses used "war dialling", where users test for vulnerable data links by checking their telephone extensions for unauthorised modems.

The survey found that almost 50% of firms hosted their websites with external companies, but a significant proportion were unaware what security defences their suppliers had put in place.

"Blind faith may be a little harsh, but there is an element where people think it will be alright if they outsource. Their comfort comes from outsourcing, not from what the outsourcer brings by way of security," said Beard.

Full results of the survey will be released at Infosecurity Europe, London, 27-29 April

Read more on Antivirus, firewall and IDS products