Information security lacks strategy in UK organisations, says Detica

According to the research, security is seen more and more as a technical rather than a business issue, with organisations believing they have overcome any security issues by appointing an in-house technical team. Over 40% of directors interviewed said they would be focusing security investment on technology compared to 35% who plan to invest in security policy, standards and processes.

Unusually, the public sector is leading the way in reversing this trend and is planning to spend more on policy than technology. This is no doubt influenced by the CESG's Manual of Protective Security which governs the public sector and includes best practice standards and guidelines.

Now in its third year, the research - Information Security in the UK 2003 - reveals the changing views of the UK's FTSE 500 companies and their public sector equivalents.

Overall, the research shows there is a lack of strategic direction in managing information security and more of a tendency to solve problems with ad-hoc technology countermeasures. Even awareness amongst directors of formal security procedures being in place has dropped from 82% to 54% in just one year.

David Porter, head of security and risk at Detica, said:

"This lack of awareness is either because companies have cut back on security procedures or because directors have delegated and are so confident of procedures being in place and adhered to that they are no longer conscious of it on a day-to-day basis. Either way it's a game of Russian roulette which isn't going to improve all the time that companies take this laissez-faire attitude to security. "

It seems the situation is unlikely to improve with the research showing that any drive towards the adoption of information security best practice is also on the wane.

Despite a catalogue of security disasters from September 11 to the collapse of Enron, there has been a significant drop in awareness of BS7799 – the code of practice for information security. Last year 9% of directors said they were seeking BS7799 accreditation compared to just 2% in 2003. At the same time the numbers of directors who are not even aware of the standard has risen in three years from 33% to 57%.

Porter continues:

"This is bad news for organisations in both the public and private sector which are relying on public confidence in information security to drive more business on-line. The research shows that the majority of business in financial services, public sector, telecommunications, travel and utility organisations is already carried out via the internet.

"With all of these organisations aspiring to move more and more of their business on-line, it's time they took a long hard look at their security procedures to ensure they meet the standards that most consumers would expect."

The research, entitled Information Security in the UK 2003 was commissioned by Detica and conducted in April 2003 by The Ashdown Group to ascertain the current situation at 140 FTSE 500 companies and major public sector organisations.