Out-Law News 2 min. read
Internet abuse follows viruses in work security stakes, says survey
27 Mar 2006, 2:32 pm
The misuse of the internet by staff accessing inappropriate websites or spending too long online is second only to viruses as a cause of reported security incidents, according to a biannual survey by the Department of Trade and Industry and PwC.
The DTI Information Security Breaches Survey 2006, managed by PricewaterhouseCoopers, found that 17% of UK businesses suffered staff misuse of web access and 11% had misuse of email. Larger companies were more likely to have incidents involving staff misuse – 52% and 43% respectively.
In a fact sheet, ‘E-mail and web usage’ – sponsored by security software specialist, Clearswift, PwC reveals that 41% of the worst incidents involved staff accessing inappropriate websites and a further 36% of worst incidents related to excessive web surfing. The most serious of such incidents involved access to illegal material; several companies reported incidents of staff accessing child pornography.
But the average cost of individual incidents of misuse was relatively low compared with other types of security breach. Less than 10% caused business disruption or direct cash costs.
However, the increase in the number of business broadband connections – now used by around 88% of businesses – has seen an increase in the risk of damage to reputation through staff misuse of web or email. Business reputation was cited as one of the most important drivers for information security by 90% of all companies surveyed.
In recognition of this, PwC found that one and a half times as many companies have an acceptable policy for internet usage as two years ago: 63% of all companies and 89% of large ones have an acceptable usage policy. This is more than have an overall information security policy.
The policies have had an impact. According to the survey, after sharp rises in staff misuse levels two years ago, the number of companies affected has now stabilised, reflecting the impact of the improved levels of control.
But PwC warns that many UK businesses are not taking the risks seriously. It reveals that three-fifths do not block access to inappropriate websites and only one in six scans outgoing email for inappropriate content.
Protecting confidential information sent by email is also still rare – in only a quarter of UK businesses can staff send encrypted email to the company’s business partners. In addition, roughly one in five UK companies allows staff to download free auto-address software onto their PCs despite the fact that such software often stores confidential information such as email addresses on a third party’s servers.
“As companies implement better controls around email and web usage, they tend to detect misuse already happening,” said Chris Potter, the partner from PwC, leading the survey. “Where those businesses have an acceptable usage policy in place, they are nearly three times as likely to detect misuse as those that don’t. It is very hard to police this area if you haven’t agreed what an acceptable usage policy is.”
“An increasing number of companies are using email to communicate with customers and business partners,” he added. “Given how important reputation is to businesses, it is surprising that five-sixths do not scan outgoing email for inappropriate content. Companies that scan their outgoing emails are much more likely to detect any misuse, but the worry is that the others may be letting inappropriate content slip through, to the potential detriment of their reputation.”
The survey canvassed the views of 1,000 companies of all sizes. The full results of the survey will be published at the Infosecurity Europe exhibition and conference in London, which concludes today.
