UK
businesses are ignoring threats to their IT systems, despite growing evidence
of the serious impact this can have. DeeDee Doke reports
Employee
abuse of the internet is rising, yet fewer UK businesses are exerting controls
over how their workers use the web, according to the DTI’s bi-annual Information
Security Breaches Survey.
In
2004, only 16 per cent of UK companies block or quarantine e-mails, compared to
57 per cent in 2002. And nearly a third of companies place no controls on
e-mail or internet access – despite the rise in breaches of IT security – in the past year, 74 per cent
of all UK businesses, and 94 per cent of large businesses have experienced a
security incident. The average UK business has about one security incident per
month and large businesses about one a week.
Malicious
incidents increased significantly between 2002 and 2004, with 68 per cent of
all UK companies, and 91 per cent of large businesses, experiencing at least
one such incident – including viruses, fraud, theft, unauthorised access,
systems misuse – in the past year in
the last year.
For
the average UK business, the median cost of an organisation’s most serious
security incident was £10,000 – but for large companies, that figure averaged
£120,000. Eight per cent of companies said their worst security incident
involved staff misuse of the internet.
“The
battle to contain the information security menace will be a long one, and it is
far from over. But it is not a battle UK businesses can afford to lose,” said
MP Stephen Timms, minister of state for energy, e-commerce and postal services,
announcing the survey findings last week at the Infosecurity Europe 2004
exhibition in London.
The
survey involved interviews with 1,000 businesses, and was conducted by a
consortium of IT companies led by PricewaterhouseCoopers (PwC) along with
industry sponsors Microsoft, Entrust and Computer Associates.
Respondents
identified too many personal e-mails and access to inappropriate websites as
the two biggest abuses of company internet services. But other incidents
included legal infringements such as downloading copyrighted material and
unauthorised access to systems.
One
of the greatest security threats is the growing number of home-based workers
with remote access to company information systems.
Simon
Perry, security strategist for Computer Associates, described home-based
computers accessing company information systems as “potentially… an army of
machines to be used by the hacking community” to damage or disrupt those
systems. Perry urged business to step up security measures for its home-based
workforce computers.
Andrew
Beard, the PwC advisory director leading the survey, said: “Businesses seem to
be dragging their feet when it comes to introducing security controls over
remote access to their systems.”
One
reason, he said, is that most companies fail to analyse their security
incidents in a way that will help them identify which breaches were caused by
remote access.
“Many
of the people who want remote access appear to be the least aware of the
additional risks it entails,” said Beard. He also blamed lack of awareness of
available security techniques.
Sign up to our weekly round-up of HR news and guidance
Receive the Personnel Today Direct e-newsletter every Wednesday
To
attempt to combat some of these problems an all-party parliamentary committee
is spearheading an inquiry and public hearing into the Computer Misuse Act.
Working in conjunction with the Home Office, the aim is to have a new
cyber-crime Bill introduced in the next six months.
By DeeDee Doke
