These are among the initial findings from the 2004 DTI biennial Information Security Breaches Survey, conducted by a consortium led by PricewaterhouseCoopers.
The findings also reveal that the two biggest causes of abuse were excessive personal e-mails and access to inappropriate web sites.
Key findings from the survey of 1,000 companies:
Employees have access to the web in 89% of UK businesses (98% in large companies), up from 69% in 2002 when the survey was last carried out; the equivalent figures for access to internet e-mail are slightly higher;
Overall, nearly two-thirds of larger companies, and one in five of all businesses, reported staff misusing company systems, citing excessive web browsing, e-mail misuse, unauthorised access to systems and legal infringements;
8% of businesses said their worst security incident of the year involved internet misuse and roughly one in five of those had a serious impact;
While incidents are clearly rising, there has not been a corresponding increase in the levels of control companies apply to prevent such problems. In particular, SMEs that have recently granted their staff with access tend not to have implemented any controls over that access;
Whereas two years ago, 57% of companies blocked or quarantined e-mails, this has fallen to just 16%; indeed, nearly a third of companies now have no controls at all over e-mail, compared to 12% in 2002;
Equally, the number of companies that restrict who can access the web has dropped to 29% from 45%, logging and monitoring acceptable sites to 20% from 45% and blocking access to inappropriate sites to 15% from 34%; Nearly a third of all companies (although just 4% of large businesses) now have no controls in place at all;
Companies logging and monitoring internet access reported a higher number of incidents of misuse, implying that organisations without such controls are letting incidents go undetected;
With hindsight, companies that had suffered an incident of misuse rated better staff training followed by improved policies and additional technical defences as the main controls that could have prevented it from happening.
Chris Potter, the PricewaterhouseCoopers partner leading the survey, said:
"As more businesses provide their staff with access to the internet, the number of incidents of staff abusing that access is rising. It seems unwise to wait until a major breach before putting effective controls and plans in place. Unfortunately, many businesses, particularly SMEs, are doing exactly that. Our survey shows that only one in three companies that suffered an incident involving Internet abuse already had a contingency plan in place to deal with it. Where such plans did exist, however, most proved very effective at handling the problem."
