Save content
Have you found this content useful? Use the button above to save it to your profile.
AIA

UK plc grows up in its attitude to information security

by
22nd Apr 2008
Save content
Have you found this content useful? Use the button above to save it to your profile.

With access to brodband internet connections now widespread, the UK's business community has grown up in its attitude to information security, according to the biennial BERR/PricewaterhouseCoopers security survey. But many firms still leave themselves vulnerable by ignoring some basic concepts. John Stokdyk reports

The results of the 2008 Information Security Breaches Survey were officially unveiled at the Infosecurity event in London on Tuesday 22 April.

Based on telephone interviews with more than 1,000 businesses, the survey found high levels of high-risk internet use:

  • 97% have a broadband internet connection
  • 42% use a wireless network
  • 17% use Voice over IP telephony.

Technology has become an important element in most businesses, which was reflected by good awareness and improvements in basic disciplines such as anti-virus and data back-up since the 2006 survey. For the first time, too, small businesses gave information security as high a priority as large companies. This year's results found that:

  • 99% back up their critical systems and data
  • 98% have software that scans for spyware
  • 97% filter incoming email for spam
  • 97% protect their website with a firewall
  • 95% scan incoming email for viruses
  • 94% encrypt their wireless network transmissions.

As a result of these improved precautions the 2008 survey tracked a continuing decline in security breaches since the peak level in 2004. Virus infection dropped significantly from 51% in 2006 - the biggest cause of incidents - to 21% this year, fourth out of five main causes of breaches.

The level of virus infection has fallen back to rates last seen in 2000. In contrast, Data corruption incidents rose from 19% to 35% in the past two years and unauthorised access by outsiders climbed from 10% to 13% - four times the level seen in 2000.

Just under half of respondents were disrupted by the breaches they experienced in the past year, and 57% rated their incidents as serious, compared to 42% in 2006. But the effects of such incidents have gone up, the study found. The average cost of a UK company's worst incident is between £10,000 and £20,000, up slightly on 2006. For the largest businesses, the average cost of a serious incident ran up to £1m-£2m. The study was reluctant to extrapolate the overall figures, but presented an "indicative estimate" in the order of several billion pounds a year.

Chris Potter, the PwC partner who who led the survey commented on the findings: "If there is one area of security where UK plc has really got the message, it's virus protection. Only a tiny minority of companies don't take this area seriously. The message from this survey is clear - if you haven’t got anti-virus and anti-spyware software, you're way outside the benchmark.

Information security tips
  1. Understand the security threats you face, by drawing on the right knowledge sources.
  2. Use risk assessment to target your security investment at the most beneficial areas.
  3. Integrate security into normal business behaviour, through clear policy and staff education.
  4. Deploy integrated technical controls and keep them.
  5. Plan for contingencies so you can respond quickly and effectively to breaches.

Source: PwC

"But there remain some serious challenges. Companies now seem to be slower to install operating system patches than they were in 2006. Delaying patches can leave systems vulnerable to attack. On the other hand, rolling out patches instantly, without testing them first, can lead to systems instability. It's important that companies strike the right balance here – risk assessment is essential."

While most UK companies back up their critical IT systems and data, more than a quarter of them still do not have a disaster recovery plan in place the survey found. Among other concerns highlighted, the study found:

  • Almost half of the disaster recovery plans have not been tested in the last year.
  • 10% of companies with a disaster recovery plan do not store backups off-site.
  • Of those companies that suffered a systems failure or data corruption incident, 31% had no contingency plan in place and a further 10% found their contingency plan to be ineffective. Also, 15% of companies do not take their backups off-site.

Martin Sadler, director of survey sponsor HP's Systems Security Lab in Bristol, added: "Increasingly, businesses need to back up their data more frequently. One in five large companies now automatically replicates transaction data to an off-site location as those transactions occur. Companies of all sizes are now using storage area networks to organise their data better.

"Taking backups off-site poses its own security risks. Historically, backups have tended to be unencrypted to minimise the effort to restore data. More companies are now considering whether they ought to be encrypting their backups."

The full 32-page (1MB PDF file) report, and a 6-page executive summary can be downloaded from PwC's website.

Tags:

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.