The latest Government-sponsored survey of information security breaches in the UK, conducted by a consortium led by PricewaterhouseCoopers LLP was released at the InfoSec Show in London today.
It found that three-quarters of UK businesses rate security as a high or very high priority for their senior management or board of directors. The priority given to security has translated into action. UK companies are spending more on information security controls than ever, on average 4-5% of their IT budget, up from 3% in 2004 and 2% in 2002. The increased expenditure is leading to better adoption of security controls; for example, three times as many companies have a security policy as did six years ago, and 98% of businesses have anti-virus software in place.
This investment appears to be paying off. Fewer companies had security incidents than in 2004 when the survey was last undertaken. Overall, 62% of businesses have had a security incident in the past year, down from 74% two years ago. Large businesses continue to be more security-conscious and they have reaped rewards as the total cost to them of security incidents has fallen by 50% over the last two years.
However, the burden of security incidents is falling on small businesses where security controls tend to be less well-developed. The average number of incidents suffered has risen by 50% to roughly eight a year. The average cost (principally business disruption cost rather than cash losses) of a UK company's worst security incident was approximately £12,000 - up from £10,000 two years ago. Overall, an indicative estimate of the total cost of security breaches to UK plc is up by 50% from two years ago, and is around £10 billion per annum.
Greater use of emerging technologies is changing the nature of the security threat UK businesses face. Companies are slow to adopt controls to reduce this threat. A quarter of UK businesses is not protected against spyware. Although more wireless networks are protected than two years ago, one in five is still completely unprotected and a further one in five is unencrypted. 55% of firms have not taken any steps to protect themselves against the threat posed by removable media devices. Two-fifths of companies that allow staff to use Instant Messaging have no controls in place over its use. Of the companies that have implemented Voice over Internet Protocol (VOIP) telephony, half did so without evaluating the security risks.
The five key recommendations from the survey are for UK companies to:
* Draw on the right expertise and international standards to understand the security threats they face and their legal responsibilities.
* Integrate security into normal business practice, through a clear security policy and staff education.
* Use risk assessment to target their investment in security controls at the areas of maximum business benefit.
* Make sure their key security defences are up to date and integrated, and address emerging technologies they are exposed to (such as spyware, instant messaging, Voice over IP, etc.).
* Develop contingency plans so that they can respond to any security incidents efficiently and minimise business disruption.
The 2006 Department of Trade and Industry's biennial Information Security Breaches Survey (ISBS), like its seven predecessors, is considered the most authoritative source on the state of information security in the UK. The consortium that ran the survey included Microsoft, Symantec, Entrust and Clearswift. The detailed findings were launched today at Infosecurity Europe in London.
Other key findings from the telephone survey of 1,000 companies included:
* The main drivers for information security expenditure remain confidentiality, integrity and availability. 90% of businesses rate these as important. Enabling business opportunities and improving efficiency tend to be less significant and 30% of those questioned do not consider these as important.
* The gap between companies that are focused on information security and those that are not is widening. Approximately 50% of all UK businesses have security policies and carry out risk assessment on information security. However, while the rest may have anti-virus controls, they lack basic security disciplines and may be over-confident about the effectiveness of their security controls. Two-fifths of companies spend less than 1% of their IT budget on information security.
* The rise in the number of businesses affected by security incidents seen in the last few surveys appears to be levelling off. However, although the number of companies affected has decreased since 2004, it is still twice the level seen a decade ago.
* Large businesses are more likely to have security incidents (87%) than small businesses and their breaches tend to be more expensive (£90,000 on average for the worst incident).
* Over a quarter of those with transactional websites do not encrypt the transactions that pass over the Internet.
* Nearly two-thirds of UK businesses believe there will be more security incidents in the next year than in the last and also believe it will be harder to detect security breaches in the future. In contrast, only one in five is optimistic about the future outlook.
Chris Potter, the partner from PricewaterhouseCoopers LLP leading the survey, said:
"Overall, UK businesses are more aware than ever of the risks they face from information security breaches, in an environment where threats are on the increase, but some still seem to believe they are immune to the dangers and don't have even basic security controls in place. This is particularly worrying as we see new technologies emerging that pose new threats to UK plc. Businesses cannot afford to become complacent.
"What is clear is that the cost to UK plc has never been greater and companies should take steps to put security in place to protect themselves against unwelcome - and expensive - security breaches."
The Rt Hon Alun Michael, Minister for Industry and the Regions, said:
"We commission this survey every two years because knowledge is a vital weapon against the growing scale and sophistication of the threats to security.
"We are working with companies small and large in many different ways to help them fight back against the threats to their business, and there has been a steep rise since the last survey in the amount of money spent on security by UK firms.
"The number of companies affected has dropped slightly since the last survey but there is no room for complacency. The cost of the damage caused by the attacks on security has risen as the nature of the attacks has become more serious. That's why it's crucial to have good security in place, which also respects the way that ICT is used within the business so that security is not an inhibitor to effective working."