The biannual Department of Business Enterprise and Regulatory Reform survey into UK IT security has reported a fall in the number of security breaches.

The report suggests that security breaches peaked in 2004 and are now down to their 2002 levels.

Overall costs to UK businesses have dropped by a third in the past two years, but are still measured in billions of pounds.

Business Minister Shriti Vadera said: "New technology is a key source of productivity gains but, without adequate investment in security defences, these gains can be undermined by IT security breaches.

"The survey shows increasing understanding by business of the opportunities and threats, but challenges remain."

• INFOSEC VIDEO: Interview with Ed Gibson, chief security advisor at Microsoft UK

Virus attacks have dropped from first to fourth in a list of security concerns, and the number of companies suffering from infections has fallen by over 20 per cent, although the clean up costs have risen by over a quarter.

Over half of all companies now have a documented security strategy, up from 40 per cent two years ago. But large companies are taking it more seriously, with 88 per cent having a policy in place.

Unfortunately large companies are the most likely target. Around 96 per cent suffered a security incident last year compared to fewer than half of smaller companies.

Larger companies have also embraced outsourcing and offshoring of IT functions. The total number of companies outsourcing some of their IT departments has actually fallen from over half in 2006 to 47 per cent this year.

But this rises to 84 per cent for large firms which offshore 10 per cent of their IT jobs, double the industry average.

However, the survey was bad news for encryption enthusiasts. In 2006 13 per cent of companies were encrypting corporate hard drives, but this year it was down to eight per cent.

Only in large companies had this figure risen, and even then only 16 per cent routinely encrypt data.

Chris Potter, a partner at PricewaterhouseCoopers LLP who led the survey, said: "The survey also shows that 71 per cent have procedures to comply with the Data Protection Act, but only eight per cent encrypt laptop hard drives.

"Businesses all need to ensure that their defences are sound if they want to continue to enjoy the benefits that technology brings."

Two-factor authentication is also proving less than popular. Only 14 per cent of companies use the technology, up from eight per cent in 2006.

Larger companies are proving more accepting of two-factor authentication, however, with over half giving staff more secure log-ins.