Encryption still underused in financial transactions, warns PwC

The findings are part of the 2006 Department of Trade and Industry's biennial Information Security Breaches Survey. PricewaterhouseCoopers, leading a consortium of researchers for the survey, found most large organisations following best practice for network and data security.  

Nine-tenths of respondents recognised that protecting customer information was important or very important and a strong justification for security expenditure. This has become one of the biggest drivers for IT security spending.

But while adoption of traditional security controls, such as firewalls, is high, newer technologies are being adopted faster than the controls to protect against their misuse.  Protection of wireless networks has improved since 2004, but many small firms are still not adopting strong controls.

Firms are not considering the security implications of adopting Voice over Internet Protocol (VoIP) telephony. Because VoIP enables a channel to be opened through the firewall, it needs to be managed correctly to ensure the risks are limited. But despite widespread publicity, only half have evaluated the security risks.

Key findings from the telephone survey of 1,000 companies include:

• Increasing volumes of online business are raising the priority given to protection of customer data. 90% of firms considered this important or very important, and a strong justification for security expenditure. 
• There was a rise in the number of companies that reported an attack on their internet or telecommunications traffic. Over a quarter of those affected by attempts to break into their networks said they suffered at least one significant attempt every day.
• The businesses attacked tended to be those that accept financial transactions online. All the websites that accept financial transactions are behind a firewall.
• Fewer than two-thirds of websites accepting financial transactions encrypt the data they receive. In contrast, every transactional website run by a very large respondent uses encryption.
• Controls over authorised wireless networks have improved. The number of unprotected networks has halved since 2004. However, there is no room for complacency: one in five firms still lacks any controls.
• Few small businesses use VoIP telephony and 31% of large businesses have adopted VoIP and more are planning to use it over the next year. Half of the businesses that have implemented VoIP did so without evaluating the security risks.

The full results of the survey will be launched at Infosecurity Europe in London, 25–27 April.