IT security becomes a priority for UK boardrooms

Three-quarters of UK businesses rated security as a high or very high priority for their senior management or board of directors, according to the research, conducted by a consortium led by PricewaterhouseCoopers.

UK companies are spending more on information security controls than ever, on average 4–5% of their IT budget, up from 3% in 2004 and 2% in 2002.

This investment appears to be paying off. Fewer companies had security incidents than in 2004 when the survey was last undertaken. Overall, 62% of businesses have had a security incident in the past year, down from 74% two years ago. Large businesses continue to be more security-conscious and they have reaped rewards as the total cost to them of security incidents has fallen by 50% over the last two years.

However, the burden of security incidents is falling on small businesses, where security controls tend to be less well-developed. The average number of incidents suffered has risen by 50% to roughly eight a year. The average cost (principally business disruption cost rather than cash losses) of a UK company's worst security incident was approximately £12,000 – up from £10,000 two years ago. Overall, an indicative estimate of the total cost of security breaches to UK plc is up by 50% from two years ago, and is around £10 billion per annum.

Greater use of emerging technologies is changing the nature of the security threat UK businesses face. Companies are slow to adopt controls to reduce this threat. A quarter of UK businesses are not protected against spyware and, although more wireless networks are protected than two years ago, one in five is still completely unprotected. A further one in five is unencrypted.

Fifty-five percent of firms have not taken any steps to protect themselves against the threat posed by removable media devices. Two-fifths of companies that allow staff to use Instant Messaging have no controls in place over its use. Of the companies that have implemented Voice over Internet Protocol (VoIP) telephony, half did so without evaluating the security risks.

The five key recommendations from the survey are for UK companies to:

• Draw on the right expertise and international standards to understand the security threats they face and their legal responsibilities.
• Integrate security into normal business practice, through a clear security policy and staff education.
• Use risk assessment to target their investment in security controls at the areas of maximum business benefit.
• Make sure their key security defences are up to date and integrated, and address emerging technologies they are exposed to (such as spyware, instant messaging, VoIP, etc.).
• Develop contingency plans so that they can respond to any security incidents efficiently and minimise business disruption.

The 2006 Department of Trade and Industry's biennial Information Security Breaches Survey (ISBS), like its seven predecessors, is considered the most authoritative source on the state of information security in the UK. The consortium that ran the survey included Microsoft, Symantec, Entrust and Clearswift. The detailed findings were launched this week at Infosecurity Europe in London.