Small firms bear brunt as cost of cybercrime soars

DTI reveals cost of e-crime to UK business has risen 50% in two years

Small businesses are bearing the brunt of a sharp increase in the cost of computer crime, figures released by the government today will reveal.

The Department of Trade & Industry's Security Breaches Survey is expected to show that the cost of computer crime to businesses in the UK has risen by 50% over the past two years, leaving UK firms billions of pounds out of pocket.

The volume of attacks directed against businesses has grown substantially, with firms reporting an average of eight security breaches a year, compared with five incidents two years ago.

More than 10% of the 1,000 firms surveyed reported attempts to break into their networks, 5% suffered denial of service attacks, and 2% had their telecoms or internet traffic attacked over the past year.

"Large businesses seem to be reaping the rewards of higher investment in security and better security controls. Although the individual cost of computer crime to small businesses is lower, it is a greater overall hit. They tend to have less effective controls in place," said Chris Potter, director at PricewaterhouseCoopers, which conducted the survey.

The findings have prompted the Federation of Small Businesses to renew demands for government help and training in IT security for small businesses.

"We are calling on the government to allocate funds to make more information available to small businesses through the Small Business Service, so that when advice is given, they build in an allocation of money for training staff in the prevention of computer crime," said Stephen Alambritis, head of parliamentary affairs at the Federation of Small Businesses.

Large firms were found to have reduced the financial impact of attacks on their systems by 50%, compared to two years ago by investing in security technology.

The trend has been partly driven by the emergence of regulations that require firms listed on the stock market to have controls in place to monitor the security of critical information systems.

Almost all the companies surveyed have anti-virus systems, and 88% of large firms patch security holes within a week of discovery, said PricewaterhouseCoopers.

"People are much better now at logging and monitoring staff access to the internet than they were two years ago," said Potter. "There are better controls, communications and definitions of acceptable internet use, and a big increase in the number of companies using intrusion detection software."

John Colley, security consultant and chairman of security qualifications body ISC2, said smaller businesses faced a dilemma as they weigh up the business advantages of selling over the internet against the increased risk to security.

The Federation of Small Businesses said it was not surprised that small firms were being hit by computer crime, as most lack the resources and expertise to protect themselves.

"Small companies rarely set aside money to deal with computer crime," said Alambritis.

Chris Simpson, head of Scotland Yard's Computer Crime Unit, advised small firms to put policies in place to prevent and detect data theft, in addition to basic security precautions such as firewalls and anti-virus software.

The most common mistake is for firms to fail to have written security policies for their staff, or to fail to enforce them, he said.

Read about: Government deperimeterisation

Read about: Deperimeterisation debate


Read more on IT for small and medium-sized enterprises (SME)