The Department for Business and Regulatory Reform (BERR) has
published research into IT security in business which shows that
the number of security incidents appears to be falling, but this is
partly due to the fact that minor breaches such as viruses are no
longer deemed to be security breaches demanding management
time.
The survey of 1,000 UK businesses found that the average cost of
a breach rose from £7,000 –14,000 to £10,000 – 20,000. It also
suggests that many incidents go unreported or even undetected.
"Fewer companies had a security incident in the last year than
two years ago. After the peak in 2004, the number of companies
affected by security breaches has returned to the level seen in
2002," said the survey.
"While the good news is welcome, it is important to remember
that these statistics under-estimate the actual experience," it
said. "Attitudes and controls in some companies mean that incident
statistics are probably understated. For example, companies that
carry out risk assessment are four times as likely to detect
identity theft as those that do not."
"There is some evidence that management is becoming desensitised
to minor incidents in well-understood areas, such as systems
failure and virus infection," said the survey. "Companies no longer
regard these as security breaches, but as routine events swept up
by business-as-usual controls without needing to be logged."
Though the number of companies suffering a serious security
breach has stayed constant at a quarter of companies, this is a
higher proportion of the breaches that happen, because the number
of breaches has fallen.
The cost of serious incidents is on the rise. Though the number
of companies affected by incidents has fallen by a quarter the
average cost of those incidents has increased by a quarter.
As companies find they have to pay less attention to incoming
problems such as viruses they must now deal with the growing
problem of security on outgoing information.
The survey found that 67% of companies do nothing to prevent
confidential data being put on to USB memory sticks and leaving the
company, while 78% of those which had had computers stolen from
them did not encrypt the information on the machines. It also found
that 84% of companies did not scan outgoing email for confidential
data.
Outsourcing of IT functions is on the rise, said the report, and
that brings its own security problems. "The number of companies
offshoring some of the IT operations has doubled since 2006, and
has quadrupled for large businesses," said the study. "Six out of
seven very large businesses now offshore some of their IT
operations."
"91% of companies that give a very high priority to security
have service level agreements in place for their outsourced
operations, compared with only 50% of those for whom security is
low or no priority," it said. "For offshored operations,
companies where security is a very high priority tend to restrict
access and tie down data protection procedures."
The report said that businesses clearly felt confident about IT
security, but that the evidence did not always back that feelng
up.
"79% of businesses believe they have a clear understanding of
the security risks they face, but only 48% formally assess those
risks," it said. "88% are confident that they have caught all
significant security breaches, but only 56% have procedures to log
and respond to incidents. 81% believe security is a high priority
to their board, but only 55% have a security policy. 77% say
protecting customer information is very important, but only 11%
prevent it walking out of the door on USB sticks. 71% have
procedures to comply with the Data Protection Act, but only 8%
encrypt laptop hard drives."
