Businesses fail to curb staff abuse of IT systems

Employers in the UK are failing to control staff access to e-mail and the web despite a large rise in reported incidents of...

Employers in the UK are failing to control staff access to e-mail and the web despite a large rise in reported incidents of employees abusing internet and e-mail facilities in the office.

In the past two years, the number of companies that have reported abuse of the internet has doubled, but the proportion of organisations taking active measures to deal with the issue has fallen.

Two-thirds of the UK's large firms and a fifth of small firms have reported problems with abuse, according to the Department of Trade and Industry's 2004 Information Breaches Survey.

One in five of the companies affected said that internet abuse has had a serious impact on their business, and 8% rated internet abuse as their worst security incident in the past 12 months.

The incidents that came to light typically disrupted companies for up to a week, and took between one and three man-days of effort to investigate, the survey of 1,000 companies revealed.

More than half of abuse cases were caused by inappropriate web or e-mail use. A third involved excessive personal e-mail, and one in five were for excessive web surfing for personal interest.

The survey has shown businesses are unwittingly leaving themselves open to legal action by failing to prevent employees distributing offensive material or viewing offensive sites on the internet during work time.

"It can be as serious as having your systems hacked. You could leave your firm open to civil procedures or harassment claims if offensive material is passed around. If your staff access illegal material, there could be criminal sanctions," said Chris Potter, partner at PriceWaterhouseCoopers.

Despite the risks, the number of companies blocking and quarantining e-mails has fallen from 57% to 16% in the past two years. And 33% of companies now have no controls on e-mail, compared to just 12% in 2002.

Similarly, the proportion of firms that restrict web access has dropped from 45% to 29%. Those blocking inappropriate sites has fallen from 34% to 15%, and nearly 33% of companies have no web controls in place at all.

This dramatic increase can be attributed to an explosion in the number of small firms offering staff access to the internet without putting controls in place.

Employees now have access to the web in 89% of companies, compared to 69% two years ago, the survey revealed.

The full results of the survey will be released at Infosecurity Europe, London 27-29 April

Read more on IT risk management