Three-quarters of UK businesses rated security as a high or very
high priority for their senior management or board of directors,
according to the research, conducted by a consortium led by
PricewaterhouseCoopers.
UK companies are spending more on information security controls
than ever, on average 4–5% of their IT budget, up from 3% in 2004
and 2% in 2002.
This investment appears to be paying off. Fewer companies had
security incidents than in 2004 when the survey was last
undertaken. Overall, 62% of businesses have had a security incident
in the past year, down from 74% two years ago. Large businesses
continue to be more security-conscious and they have reaped rewards
as the total cost to them of security incidents has fallen by 50%
over the last two years.
However, the burden of security incidents is falling on small
businesses, where security controls tend to be less well-developed.
The average number of incidents suffered has risen by 50% to
roughly eight a year. The average cost (principally business
disruption cost rather than cash losses) of a UK company's worst
security incident was approximately £12,000 – up from £10,000 two
years ago. Overall, an indicative estimate of the total cost of
security breaches to UK plc is up by 50% from two years ago, and is
around £10 billion per annum.
Greater use of emerging technologies is changing the nature of
the security threat UK businesses face. Companies are slow to adopt
controls to reduce this threat. A quarter of UK businesses are not
protected against spyware and, although more wireless networks are
protected than two years ago, one in five is still completely
unprotected. A further one in five is unencrypted.
Fifty-five percent of firms have not taken any steps to protect
themselves against the threat posed by removable media devices.
Two-fifths of companies that allow staff to use Instant Messaging
have no controls in place over its use. Of the companies that have
implemented Voice over Internet Protocol (VoIP) telephony, half did
so without evaluating the security risks.
The five key recommendations from the survey are for UK
companies to:
- Draw on the right expertise and international standards to
understand the security threats they face and their legal
responsibilities.
- Integrate security into normal business practice, through a
clear security policy and staff education.
- Use risk assessment to target their investment in security
controls at the areas of maximum business benefit.
- Make sure their key security defences are up to date and
integrated, and address emerging technologies they are exposed to
(such as spyware, instant messaging, VoIP, etc.).
- Develop contingency plans so that they can respond to any
security incidents efficiently and minimise business
disruption.
The 2006 Department of Trade and Industry's biennial Information
Security Breaches Survey (ISBS), like its seven predecessors, is
considered the most authoritative source on the state of
information security in the UK. The consortium that ran the survey
included Microsoft, Symantec, Entrust and Clearswift. The detailed
findings were launched this week at Infosecurity Europe in
London.
