Monthly newsletter Weekly news roundup Breaking news notification    
2008 Information Security Breaches Survey published

Get free weekly news by e-mailAfter weeks of drip-feeding results from the 2008 Information Security Breaches Survey to the media, the final full results have now been published.

The 2008 Information Security Breaches Survey was carried out by a consortium, led by PricewaterhouseCoopers LLP, on behalf of the Department for Business, Enterprise & Regulatory Reform (BERR).

IT systems and information security are more important to UK companies than ever before, with 81 percent of boards giving a high or very high priority to information security. As businesses continue to grasp the opportunities provided by new technology (97 percent now have a broadband internet connection), there has been a real improvement in controls, particularly in basic disciplines such as anti-virus and backups. The average spend by companies on security defences has tripled over the last six years, resulting in the overall cost to UK plc of reported security breaches dropping by a third. Despite this reduction, the annual cost to companies still runs into several billions of pounds.

Despite the improvements in security controls, the survey shows that many companies remain exposed to loss of confidential data. For example, four-fifths of companies that have computers stolen have not encrypted their hard drives, and two-thirds of companies do nothing to prevent confidential data leaving on USB sticks.

The broadband revolution has allowed companies to use the Internet to reach their customers and enable their staff to be more mobile:
* 54% of UK companies allow staff to access their systems remotely;
* 42% use a wireless network;
* 17% use Voice over IP telephony, and this will rise to 30% by the end of 2008;
* 5% have moved some of their IT operations offshore; and
* 84% are heavily dependent on their IT systems.

Over the last six years, the security landscape has changed dramatically:
* 98% of companies now have software to scan for spyware;
* 94% of wireless networks are now encrypted, versus only 47% in 2002;
* 55% of UK companies have a documented security policy, versus 27% in 2002;
* Expenditure on information security has increased from 2% to 7% of IT budget over that period;
* 40% of businesses provide ongoing security awareness training to staff – twice as many as six years ago;
* 14% use strong (i.e. multi-factor) authentication; and
* 11% have implemented the British/International Standard for information security management (BS 7799/ISO 27001), versus only 5% in 2002.

After the peak in 2004, the number of companies reporting a security breach has returned to roughly the level seen in 2002:
* 45% of small businesses reported a breach in the last year, down from 62% in 2006;
* Larger businesses are more likely to have security breaches, with 96% of very large companies (more than 500 employees) affected;
* Most companies affected experienced several breaches in the year – the median number of breaches is 6 and the mean is 100;
* The average cost of the worst incident of the year is highly dependent on the size of the business, varying from roughly £15,000 for small businesses to £1.5 million for very large businesses;
* The total cost to UK plc has dropped by roughly a third compared with two years ago, returning to the levels seen in 2004;
* Companies are, however, generally pessimistic, with only 17% expecting fewer security incidents next year.

The survey findings also indicate that confidential information is increasingly at risk, especially in large businesses, where:
* 13% have detected unauthorised outsiders within their network;
* 9% had fake (phishing) emails sent asking their customers for data;
* 9% had customers impersonated (e.g. after identity theft); and
* 6% have suffered a confidentiality breach.

While 77% of UK companies say that protecting customer data is a very important driver of their information security expenditure, many companies are simply not doing enough to achieve this goal:
* 10% of websites that accept payment details do not encrypt them;
* 21% of companies spend less than 1% of their IT budget on information security;
* 67% do nothing to prevent confidential data leaving on USB sticks;
* 78% of companies that had computers stolen had not encrypted their hard drives; and
* 79% are not aware of the contents of security standards BS 7799/ISO 27001.

The survey suggests five simple steps businesses of all sizes should take to protect themselves in this changing world:
1. Understand the security threats you face, by drawing on the right knowledge sources.
2. Use risk assessment to target your security investment at the most beneficial areas.
3. Integrate security into normal business behaviour, through clear policy and staff education.
4. Deploy integrated technical controls and keep them up to date.
5. Respond quickly and effectively to breaches, e.g. by planning ahead for contingencies.

Read a PDF copy of the survey report.

Date: 22nd April 2008• Region: UK •Type: Article •Topic: ISM
Rate this article or make a comment - click here

BC Journal



Copyright 2008 Portal Publishing LtdPrivacy policyContact usSite mapNavigation help