"Irresponsible" security policies threaten UK businesses

Barely 50 per cent of UK companies have business continuity plans in place - a situation that's unlikely to improve unless security is treated as a business issue.

Ernst & Young's Global Information Security Survey 2002, out today, shows just 53 per cent of companies have such plans. More alarming still, only 49 per cent of these have been tested.

Much of the activity that is taking place is in what Ernst & Young regards as the 'basics' of information security, such as firewall management and anti-virus protection.

Forty per cent of companies do not investigate security incidents at all, despite warnings that security breaches often result in the creation of 'back doors' for malicious use later.

Furthermore, only 81 per cent of the companies surveyed employ anti-virus procedures a meagre 72 per cent have implemented access management and just 66 per cent have firewall management.

Security experts agree that these figures should be nearer the 100 per cent mark.

Ernst & Young believes the way information security is approached within businesses leaves much to be desired, as it is often marginalised as a straight IT issue. Only 29 per cent of the companies surveyed by the consultancy treat business continuity planning as a business unit expenditure.

Forty-five per cent indicated that the expense is borne by the IT budget, indicating that many organisations still perceive business continuity as the responsibility of IT and not an essential component of corporate strategy.

Ernst & Young claims it is "irresponsible" not to place information security on the boardroom agenda.

Jan Babiak, managing partner of Ernst & Young's UK Information Security Practice, said: "An organisation's information security strategy must extend beyond the technical solution to include sound consideration of the nature of the business risks and the culture."

She added: "It must be informed and objective and must drive tactical and operational decisions in all business areas if it is to be of real value today. Getting this right can mean the difference between success and failure."

Ernst & Young surveyed 459 CIOs, IT directors and business executives in UK companies.

For more information, see http://www.ey.com/uk