Fewer, deadlier attacks hit corporate IT, reports BERR

The study also claims that the falling numbers could be an understatement of the true figures.

The Department for Business and Regulatory Reform (BERR) has published research into IT security in business which shows that the number of security incidents appears to be falling, but this is partly due to the fact that minor breaches such as viruses are no longer deemed to be security breaches demanding management time.

The survey of 1,000 UK businesses found that the average cost of a breach rose from £7,000 –14,000 to £10,000 – 20,000. It also suggests that many incidents go unreported or even undetected.

"Fewer companies had a security incident in the last year than two years ago. After the peak in 2004, the number of companies affected by security breaches has returned to the level seen in 2002," said the survey.

"While the good news is welcome, it is important to remember that these statistics under-estimate the actual experience," it said. "Attitudes and controls in some companies mean that incident statistics are probably understated. For example, companies that carry out risk assessment are four times as likely to detect identity theft as those that do not."

"There is some evidence that management is becoming desensitised to minor incidents in well-understood areas, such as systems failure and virus infection," said the survey. "Companies no longer regard these as security breaches, but as routine events swept up by business-as-usual controls without needing to be logged."

Though the number of companies suffering a serious security breach has stayed constant at a quarter of companies, this is a higher proportion of the breaches that happen, because the number of breaches has fallen.

The cost of serious incidents is on the rise. Though the number of companies affected by incidents has fallen by a quarter the average cost of those incidents has increased by a quarter.

As companies find they have to pay less attention to incoming problems such as viruses they must now deal with the growing problem of security on outgoing information.

The survey found that 67% of companies do nothing to prevent confidential data being put on to USB memory sticks and leaving the company, while 78% of those which had had computers stolen from them did not encrypt the information on the machines. It also found that 84% of companies did not scan outgoing email for confidential data.

Outsourcing of IT functions is on the rise, said the report, and that brings its own security problems. "The number of companies offshoring some of the IT operations has doubled since 2006, and has quadrupled for large businesses," said the study. "Six out of seven very large businesses now offshore some of their IT operations."

"91% of companies that give a very high priority to security have service level agreements in place for their outsourced operations, compared with only 50% of those for whom security is low or no priority," it said. "For offshored operations, companies where security is a very high priority tend to restrict access and tie down data protection procedures."

The report said that businesses clearly felt confident about IT security, but that the evidence did not always back that feelng up.

"79% of businesses believe they have a clear understanding of the security risks they face, but only 48% formally assess those risks," it said. "88% are confident that they have caught all significant security breaches, but only 56% have procedures to log and respond to incidents.

81% believe security is a high priority to their board, but only 55% have a security policy. 77% say protecting customer information is very important, but only 11% prevent it walking out of the door on USB sticks. 71% have procedures to comply with the Data Protection Act, but only 8% encrypt laptop hard drives."