Findings from the new Information Security Breaches Survey (ISBS) report from PricewaterhouseCoopers (PwC) indicate UK businesses have been slow to react to the security risks created by the use of emerging technologies like smartphones, tablets and social networking.
Companies are slow to adjust their controls as technology usage changes.
The report, which will be presented at the Infosecurity 2012 conference in London next week, traditionally serves as a barometer of the state of the UK’s information security posture.
According to the report, more employees use their own mobile devices to access corporate IT systems, yet few companies have implemented policies and controls to protect the data stored on employee-owned devices. And, while organisations see the benefits of social networking sites, few monitor how the sites are used by their staff.
Scope of ISBS report
The ISBS report, written by PwC with support from the Department for Business, Innovation and Skills, is published every two years. The 2012 edition is based on a survey of security professionals in 447 UK organisations spread across all industry sectors, of which roughly a fifth were from the public sector.
This lack of controls, combined with a widespread lack of security awareness among users, has resulted in a high incidence of security breaches caused by internal staff. In the ISBS 2012 report, 82% of large companies (those with 500+ employees) indicated they had suffered a security breach caused by one of their employees, and 47% said the incidents had entailed the loss of confidential information.
Despite the number of high-profile security breaches of the last few years, the report states 54% of small businesses, and 38% of large organisations, do not have a security awareness programme in place.
The report also notes that three-quarters of large organisations and 61% of small businesses allow staff to use mobile devices to connect to their corporate systems, and yet only 39% of large businesses, and 24% of small businesses, apply data encryption on the devices.
The 2012 ISBS survey uncovered a rise in the use of social networking. Yet only 8% of small companies and 13% of large ones monitor what their staff posts on social networking sites. The study found financial services companies tend to block the sites altogether, but half of small businesses have no Web blocking or logging software at all.
More highlights from Infosecurity 2012
Get more news and important research from the Infosecurity 2012 conference, including coverage of security threats and data breaches.
“With the explosion of new mobile devices and the blurring of lines between work and personal life, organisations are opening their systems up to massive risk,” said Chris Potter, a partner at PwC in the UK and an author of the report. He said the bring-your-own-device (BYOD) trend is creating new security threats from both malicious software and data loss. Potter added that organisations that allow personally owned devices tend to have weaker controls than those that only allow corporate devices.
Potter compared the situation to a similar one a decade ago, when many companies lacked even the most basic security defences, such as antivirus software, and took a long time to adjust to the dangers they faced. “Companies are slow to adjust their controls as technology usage changes,” he said. “It’s vital to tell your staff about the risks. If you don’t, your own people could inadvertently become your worst security enemy.”