The DTI
Information Security Breaches Survey 2006, managed by
PricewaterhouseCoopers, found that 17% of UK businesses suffered
staff misuse of web access and 11% had misuse of email. Larger
companies were more likely to have incidents involving staff misuse
– 52% and 43% respectively.
In a fact sheet, ‘E-mail and web usage’ – sponsored by security
software specialist, Clearswift, PwC reveals that 41% of the worst
incidents involved staff accessing inappropriate websites and a
further 36% of worst incidents related to excessive web surfing.
The most serious of such incidents involved access to illegal
material; several companies reported incidents of staff accessing
child pornography.
But the average cost of individual incidents of misuse was
relatively low compared with other types of security breach. Less
than 10% caused business disruption or direct cash costs.
However, the increase in the number of business broadband
connections – now used by around 88% of businesses – has seen an
increase in the risk of damage to reputation through staff misuse
of web or email. Business reputation was cited as one of the most
important drivers for information security by 90% of all companies
surveyed.
In recognition of this, PwC found that one and a half times as
many companies have an acceptable policy for internet usage as two
years ago: 63% of all companies and 89% of large ones have an
acceptable usage policy. This is more than have an overall
information security policy.
The policies have had an impact. According to the survey, after
sharp rises in staff misuse levels two years ago, the number of
companies affected has now stabilised, reflecting the impact of the
improved levels of control.
But PwC warns that many UK businesses are not taking the risks
seriously. It reveals that three-fifths do not block access to
inappropriate websites and only one in six scans outgoing email for
inappropriate content.
Protecting confidential information sent by email is also still
rare – in only a quarter of UK businesses can staff send encrypted
email to the company’s business partners. In addition, roughly one
in five UK companies allows staff to download free auto-address
software onto their PCs despite the fact that such software often
stores confidential information such as email addresses on a third
party’s servers.
“As companies implement better controls around email and web
usage, they tend to detect misuse already happening,” said Chris
Potter, the partner from PwC, leading the survey. “Where those
businesses have an acceptable usage policy in place, they are
nearly three times as likely to detect misuse as those that don’t.
It is very hard to police this area if you haven’t agreed what an
acceptable usage policy is.”
“An increasing number of companies are using email to
communicate with customers and business partners,” he added. “Given
how important reputation is to businesses, it is surprising that
five-sixths do not scan outgoing email for inappropriate content.
Companies that scan their outgoing emails are much more likely to
detect any misuse, but the worry is that the others may be letting
inappropriate content slip through, to the potential detriment of
their reputation.”
The survey canvassed the views of 1,000 companies of all sizes.
The full results of the survey will be published at the
Infosecurity Europe exhibition and conference in London, which
concludes today.
