Could Do Better - UK PLC

Computing Magazine reports that just one per cent of UK companies are taking all the necessary measures to prevent computer crimes within their organisation, according to a government IT security survey.

The Department of Trade and Industry’s (DTI) biennial Information Security Breaches Survey for 2006 shows that, despite increased investment, most companies lack sufficient identity and access management systems to guard against internal fraud and intellectual property theft.

Among large companies there was a small increase in security incidents, with insufficient identity and access management providing employees at one in five of these firms with unauthorised access to sensitive information.

As well as financial loss, unauthorised access to customer databases and intellectual property can damage a company’s reputation and even its share prices, says the report.

Part of the problem is that 80 per cent of businesses rely solely on passwords rather than adopting stronger forms of identity, such as tokens or biometrics, to secure business-critical applications and databases.

In large firms 70 per cent of employees have to remember between two and six passwords to access systems, which can lead to some staff writing them down.

‘It is worrying that firms are using just passwords. We know how crackable passwords are and how easy it is to get people to give them out through social engineering tactics, yet firms still rely on them,’ said Beard.

But Andrew Yeomans, vice president of information security at Dresdner Kleinwort Wasserstein, says identity and access management depend as much on business processes as on IT.

‘Companies need to make appropriate risk-based judgements, and must remember that convenience and the usability of systems is part of that.’