Malicious security attacks hit 90 per cent of UK firms

More than 90 per cent of large UK businesses have been the victim of a malicious security incident in the past year, largely due to a sharp increase in the volume of virus attacks, according to a government security survey.

The figure represents a significant change from when a larger proportion of security breaches were accidental, with the focus switching to those that are malicious, such as viruses, hack attacks and fraud. When small and medium-sized firms are added into the equation, 68 per cent overall had a malicious incident in the past year.

A thousand UK businesses were quizzed for the seventh 'state of the nation' biennial Information Security Breaches Survey by the Department of Trade and Industry and PricewaterhouseCoopers.

E-commerce minister Stephen Timms, introducing the report, said: "Security problems have now become a fact of business life, and not something that happens to someone else. As organisations struggle to contain these threats, the number of security incidents continues to rise."

Two-thirds of large firms and half of all those surveyed suffered a virus infection last year, compared to 41 per cent in 2002. Staff misuse hit 64 per cent of large firms and 22 per cent of all firms on average, compared to 11 per cent in 2002. Viruses also caused the greatest number of serious breaches.

The average cost of security breaches has actually gone down – in large firms it costs about £120,000 an incident, with the overall average cost £10,000 – but because the number of incidents has increased, the total cost to UK business is of the same order of magnitude, which is "several billions of pounds", according to the research.

UK organisations are now hit once a month on average with a security incident, with large companies hit once a week.

Part of the reason for the increase in number of breaches is the increased exposure to cyberthreats. Ninety per cent of UK businesses now send email, use the internet and have a website. New threats have also emerged because of the increasing use of portable PDA devices and wireless networks. A third of firms have wireless networks, compared to just two per cent in 2002.

But the survey claims that many firms are still not spending enough. "One factor behind the underinvestment is that security is often seen as an overhead rather than an investment," the report said.

Companies now spend an average of three per cent of their IT budget on security, compared with two per cent two years ago and large businesses spend roughly four per cent. But this hides the fact that while a quarter are investing above benchmark levels, the majority of firms are spending less than one per cent on security.

Another area marked 'must do better' is contingency planning. Fewer than one in ten businesses, and only a quarter of large ones, have tested their disaster-recovery plans to see if they would work in practice.