DTI report highlights security failings

Published this week in conjunction with the Infosec security conference, the Information Security Breaches Survey 2000 worryingly revealed that over 30% of the 1000 organisations questioned do not recognise that their business information is either sensitive or critical and, therefore, a business asset.

Of those organisations that have critical or sensitive information, 43% have suffered an ‘extremely serious’ or ‘very serious’ breach, and a further 20% had suffered a ‘moderately serious’ breach in the last two years.

The main cause of the breaches was found to be the result of operator or user error, with 40% of companies acknowledging that information security cannot simply be solved by technology. And nearly three quarters of organisations that suffered a ‘serious’ breach had no contingency plan in place to deal with it.

But the DTI also found that over half of the organisations that have suffered a breach which they consider to be their ‘most serious’ do not believe there is anything they could have done to prevent it, even though the companies involved indicated that the cost of a single breach was in excess of £100,000.

The DTI said the problem is that only one in seven organisations has a formal security policy in place. ‘The presence of a formal policy is one of the most important issues in reporting and resolving security breaches,’ said the report.

‘Given the prominence of “people issues”, ranging from user and operator error through to fraud, typically being the cause of security breaches, the need for implementing a framework for information security management systems is stronger now than ever before,’ it added.

Some 37% of organisations undertake risk assessment, usually every six months, and a further 15% intend to do so, the report found. A total of 83% have virus protection and password controls, which shows that some hard and fast rules are being adhered to.

As a result, the DTI found ‘an illuminating state of information security awareness in the marketplace’.

However, there is still insufficient awareness and understanding of what can be done to combat the more significant risks, particularly those posed by human actions.

‘It is only when these procedural and management issues have been addressed that organisations can decide on what security technologies they need,’ the report concluded.

First published on

Related reading