UK firms must face the reality of security problems, says study

The average UK business is now hit by a security incident every month, or once a week for larger companies, according to the UK's...

The average UK business is now hit by a security incident every month, or once a week for larger companies, according to the UK's Department of Trade and Industry's (DTI) bi-annual security survey, published this week.

The survey of 1,000 companies, completed in January by PricewaterhouseCoopers-led consortium, found that security problems are now an issue faced by the majority of UK businesses, with nearly all large companies affected.

The survey found that businesses have not yet adjusted to this reality and suffers from inadequate security training and overconfidence in their security systems.

The lack of adequate concern about security is reflected in spending, which is below the mark considered reasonable by industry observers.

The majority of UK companies - 74% - have had a security incident in the past year, rising to 94% for large companies, the DTI survey found.

That figure includes accidents such as system failures and data corruption; but malicious incidents are now far more common than accidents, with 68% of all companies (91% of large businesses) suffering at least one malicious attack in the past year. In 2002, only 44% had been attacked, and in 2000 the figure was just 24%.

"If you go back some years, accidental incidents far outweighed malicious incidents. Now more than twice as many companies had malicious incidents as accidental ones," said Chris Potter, the PwC partner who led the survey.

Most malicious attacks were caused by viruses or inappropriate use of IT systems by staff, with the average cost of an organisation's most serious incident about £10,000 to £120,000 for large companies - largely because of disruption to a company's operations. Some companies suffered disruption for more than a month after an attack, Potter said.

The upshot for businesses is that security is now an issue requiring increasing investment, Potter said.

"With security, as with everything else, the issue is one of cost versus benefit. What we have seen here is that the trend of incidents is unfortunately upwards, so the cost to UK businesses is continuing to rise."

In response, companies are now more likely to have a security policy in place. Three-quarters said they were confident the measures they had instituted good enough security measures, although in reality, less than half of the companies surveyed actually had effective security measures, Potter said.

"We feel there is the problem of overconfidence, because people do not fully understand the risks they're running," he said.

A skills gap appears to be contributing to the problem, with 11% of companies having staff with formal security qualifications.

"It's important to realise that qualifications are only one way of measuring expertise. But if you look at some of the other figures in the survey, they expose a skills gap in many businesses," Potter said.

One example, Potter said, was that only 12% of the individuals responsible for a company's security were aware of the contents of the BS 7799 standard for information security - a figure that has not increased in the past two years.

The UK government has praised businesses for making progress in integrating security.

"It is encouraging to note that information security remains a high priority at board level," said e-commerce minister Stephen Timms. "More companies than ever have a security policy in place and those that have adopted BS7799 have found it has yielded real benefits."

Participants in the DTI survey were spending an average of 3% of their IT budget on security, up from 2% in 2002. Industry observers consider 5% to 10% a reasonable benchmark level. These figures tally with an IDC study released this week, which also pegged spending at less than 5% of IT budgets.

IDC expected security expenditure worldwide to hit $48bn this year, still just 4.8% of overall IT spend, and about on par with the $43bn annual spending on printers and multifunctional peripherals. The figure will rise to 7% of the overall IT budget by 2007, IDC said.

Mobile and wireless security spending will grow more quickly, rising 71% a year to $1.27bn in 2007, IDC said.

Matthew Broersma writes for

Read more on IT risk management