The Department of Trade and Industry used the Infosec conference on IT security, held in London last week, to unveil its biennial survey investigating UK businesses' IT security practices - the results make for alarming reading.
According to this year’s poll, around 44% of UK businesses have suffered at least one malicious security breach in the last twelve months. The average cost of such an incident was £30,000, but several businesses surveyed had security incidents that cost them over £500,000.
While most of these businesses managed to restore normal operations within a day of their worst security breach, 20% of companies that had an incident took more than a week to get businesses operations back to normal.
Virus infection was the single biggest cause of serious security breaches (accounting for 33% of the most serious breaches), despite the fact that 83% of companies questioned now use antivirus software.
Most worrying was the fact that although the number of UK businesses with a documented security policy has doubled since the year 2000, it is still only 27%.
While BS7799 has become the international standard for security, only 15% of people responsible for IT in the UK are aware of its contents, and only 49% of businesses have documented procedures to ensure compliance with the Data Protection Act – something which could land them with a jail sentence.
Only 33% of the UK companies surveyed have software in place to detect intrusion, and only 51% of those with transactional websites encrypt transactions passing over the internet.
The DTI said it found that business people find it very difficult to apply normal commercial disciplines to IT security. Only 30% of UK firms ever evaluate the return on investment (ROI) on their information security expenditure. As a result, only 27% spend more than one per cent of their IT budget on information security.
One particular area the DTI highlighted for new concern is the increasing trend of staff working remotely.
Seventy one per cent of large businesses now allow their staff access to their systems remotely (i.e. from home). Yet only 19% of businesses that currently provide remote access have implemented two-factor authentication and only 69% of transactional websites require customers to authenticate themselves in any way. The DTI warns: ‘If more attention is not paid to this area, the potential for fraud and reputational damage is enormous.’
‘These factors make a compelling case for action now,’ said the DTI. ‘The solution is not simply more expenditure. Instead, it revolves around using the right expertise to make sound commercial decisions about which investments in security to make and which risks to accept or insure.’