While there has been some improvement in the incidence of business disruption by viruses or hackers – down to 20% of reported cases, compared to 39% in 2001 – public bodies still do not seem to appreciate the risks created by new technologies, such as PDAs, nor the need to tackle workplace access to pornography, says the survey.
In fact, there has been a 13% increase in incidents of staff accessing porn or other inappropriate material – up to 52% of cases in 2004, compared to 39% in 2001.
Cases involving financial risk have also increased to 28% of cases in 2004, as opposed to 22% in 2001.
The survey, carried out in 2004, is based on the responses of more than 400 public sector organisations, including NHS trusts, local authorities, police and fire authorities.
Two hundred cases of ICT fraud and abuse were identified in the survey, the results of which have been published in a report, “An Update on ICT Fraud and Abuse 2004.”
The report highlights the key role played by staff in implementing ICT security, and warns that only half of public sector organisations have actually initiated staff training in these systems.
Only a third of organisations inform their staff about their ICT security policy – although a policy is now in place in 96% of organisations – or educate staff on what they should be doing. Only 20% of public bodies actually give their staff a copy of the security policy.
“ICT security is only as effective as the staff within the organisation, and too often we are finding that staff are unsure of their role,” said Steve Bundred, CEO of the Audit Commission. “If we fail to get this right we risk eroding the confidence of citizens in the electronic systems that underpin public services.”
Alongside the report the Commission has produced a self-assessment questionnaire for chief executives and other senior managers to use when considering their own organisation's susceptibility to ICT fraud and abuse.
It has also developed the Your Business at Risk (YBAR) database, against which organisations can compare their ICT security measures against a range of other organisations.