Lax security shaming UK businesses

Only one in four companies are properly protected from hacks or virus attacks, even though nearly three quarters of senior managers in the UK put security high up on their agendas.

According to the Department of Trade and Industry's latest Information security breaches survey, which was conducted by PricewaterhouseCoopers (PwC), 73 per cent of senior management think security is extremely important, but only 25 per cent actually have a security policy in place to protect their networks.

A similar survey conducted by Ernst and Young in March revealed similarly worrying statistics, with just 53 per cent of companies having business continuity plans in place. Only 49 per cent of these have been tested (see http://www.silicon.com/a51975 ).

Chris Potter, a partner at PwC, said: "One issue companies have is that business people understand the risks but don't understand the detail. The business people don't know what to spend money on and the IT people don't frame the security spend in the same way they do other projects in terms of a business case and a return on investment."

The rapid rise of ecommerce has left many more companies vulnerable to attack, he added. While UK firms are increasingly using the internet they are failing to consider the ensuing risks.

Billions of pounds are lost each year as an increasing number of employees are given access to the internet and email.

Potter said: "The three main areas which showed the biggest rise in incidents over the last two years are viruses, hacking and employee misuse of IT - this includes sending inappropriate emails or looking at inappropriate websites."

Employees need to be educated in security policy, he added.

Corporate espionage and theft also contribute to the problem. Ofir Arkin, managing security architect at security consultancy @stake, said: "Some businesses trust their own users but we know that this doesn't hold when offered the right amount of money for accessing information from restrictive areas of the network. Companies need to know what users are doing as industrial espionage is rife."

Companies fail to invest in security as it is often considered not to provide an economic return, according to the DTI. Potter estimates each security breach costs £30,000 to fix while several larger companies have reported spending £500,000 to repair the damage caused by fraud, hacking and viruses.

Arkin said keeping yourself in business should be seen as the return on investment.

For related news, see
Security: The Board washes its hands - again
http://www.silicon.com/a52728
Almost half of all companies hit by online fraud
http://www.silicon.com/a52702
"Irresponsible" security policies threaten UK businesses
http://www.silicon.com/a51975
'Security?' We've heard of it
http://www.silicon.com/a52629
Retraining key to better IT security
http://www.silicon.com/a52594

To buy related reports or event tickets, click:
Report: Service Level Management Report
http://www.silicon.com/goto-ecc-na3
Report: Databases: An Evaluation and Comparison
http://www.silicon.com/goto-ecc-na2
Report: PC Market Report
http://www.silicon.com/goto-ecc-na4
Report: Web Content Management
http://www.silicon.com/goto-ecc-ed12