Failure to secure remote access leaves firms at risk

DTI survey reveals firms have insufficient internal security

Businesses are leaving themselves at risk from cyber attack by failing to upgrade their security when they allow staff remote access to their corporate networks.

The Department of Trade & Industry's Information Security Breaches Survey 2006, to be published next month, found that nearly 20% of companies allowed staff to access corporate systems using their normal network log-on procedures. The research raised concerns that firms were leaving their internal systems exposed to attacks from hackers.

"You are effectively shifting the perimeter of your network and you are allowing someone into your inner sanctum from a remote place that is not secure," said Andrew Beard, director of PricewaterhouseCoopers, which managed the survey.

The report showed that where companies employed additional security for remote users, 60% required users to enter additional passwords, but only 9% used two-factor authentication.

About 40% of the 1,000 firms surveyed used a virtual private network to encrypt communication links between employees' remote computers and the corporate system, but this rose to 50% for large companies.

For 90% of the companies surveyed, regulatory compliance was the main driving force for network access management.

Despite this, the research found that most businesses were approaching identity management in a piecemeal way and failing to reap the full benefits.

More than 90% did not have fully automated provisioning systems for staff access to IT systems, increasing the risk that user accounts may be left live after staff have left the organisation.

"There are very few organisations that are adopting a combined approach with authent- ication, user management and user sign-on. They seem to be looking at them separately. Just 1% show evidence they are doing all three," said Beard.

Full results of the survey will be launched at Infosecurity Europe in London on 25-27 April.

High cost of computer-based fraud

Computer-based fraud accounted for only 1% of the security breaches experienced by firms last year, but the impact was greater than any other security breach, the DTI's Information Security Breaches Survey 2006 revealed.

One large bank lost several million pounds, and several small businesses reported losses from computer-related fraud of between £10,000 and £50,000, according to the survey of 1,000 firms.

Some small firms had to spend more than £10,000 in legal and other costs to repair the damage after a fraud, and 20% of firms had to spend more than £1,000.

Read more on Hackers and cybercrime prevention