Survey finds data still at risk

IT SECURITY risks are still significant despite increased business awareness of data threats, according to the 2008 Information Security Breaches Survey conducted for the Department of Business, Enterprise and Regulatory Reform and presented at the Infosecurity Europe conference in London.

Information security is more important to UK companies now, with 81 per cent of boards giving it high or very high priority ratings. Safeguard measures have improved, especially with regard to ensuring that backups are created and that antivirus software is deployed and updated.

Companies are spending three times more on information security than they did six years ago, yielding a one-third reduction in the annual cost of security breaches. However, companies' annual losses still amount to billions of pounds.

These key findings of the 2008 survey were developed by a consortium of firms led by PricewaterhouseCoopers LLP (PWC) that also included HP, Symantec and The Security Company (International) Ltd. The survey is done biannually.

Many companies remain exposed to the loss of confidential data despite having suffered security breaches and having made improvements in security controls. Examples are that four-fifths of companies that have had computers stolen still have not implemented hard drive encryption, and two-thirds of companies still have no measures in place to prevent theft of confidential data via USB sticks.

The UK government's Business Minister Shriti Vadera said: "New technology is a key source of productivity gains, but without adequate investment in security defences these gains can be undermined by IT security breaches. The survey shows increased understanding by business of the opportunities and threats, but challenges remain."

PWC partner Chris Potter, who led the survey, indicated that some fundamental contradictions still remain between companies' self-perceptions of their inte rnal security awareness and the measures they have taken to address them, saying:

"Some 79 per cent of businesses believe they have a clear understanding of the security risks they face, but only 48 per cent formally assess those risks. Also, 88 per cent are confident that they have caught all significant security breaches, but only 56 per cent have procedures to log and respond to incidents. The survey also shows 71 per cent have procedures to comply with the Data Protection Act, but only eight per cent encrypt laptop hard drives."

He concluded, "Businesses all need to ensure that their defences are sound if they want to continue to enjoy the benefits that technology brings."

The survey details findings regarding companies' IT security spending, use of security policies, procedures and training, broadband Internet, wireless and VoIP communications, outsourcing and offshoring of IT operations, virus and spyware scanning, encryption, and authentication.

It also presents information gathered regarding the number, frequency, size, per incident cost and total losses related to information security breaches that were suffered by businesses that participated in the survey.

In addition, it outlines findings about companies' risks and incidents involving confidential business information, as well as findings relating to the measures companies are taking to protect customer data.

Finally, the survey report suggests general steps businesses of all sizes should take to protect themselves from information security breaches.

A copy of the report can be obtained by sending an email here. µ