April 22 2008
Confidential data at risk
Confidential data remains at risk despite increased business awareness, new survey finds
According to the latest Information Security Breaches Survey (ISBS) carried out by a consortium, led by PricewaterhouseCoopers LLP, on behalf of the Department for Business, Enterprise & Regulatory Reform (BERR) businesses are still allegedly haemorrhaging data despite increased awareness of security issues at all levels.
IT systems and information security are more important to UK companies than ever before, with 81% of boards giving a high or very high priority to information security, with the average spend by companies on security defences tripling over the last six years, resulting in the overall cost to UK plc of reported security breaches dropping by a third.
Chris Potter, partner, PricewaterhouseCoopers LLP, who led the survey added:
“There are still some fundamental contradictions. Some 79% of businesses believe they have a clear understanding of the security risks they face, but only 48% formally assess those risks. Also, 88% are confident that they have caught all significant security breaches, but only 56% have procedures to log and respond to incidents. The survey also shows 71% have procedures to comply with the Data Protection Act, but only 8% encrypt laptop hard drives. Businesses all need to ensure that their defences are sound if they want to continue to enjoy the benefits that technology brings.”
The survey findings also indicate that confidential information is increasingly at risk, especially in large businesses, where:
- 13% have detected unauthorised outsiders within their network;
- 9% had fake (phishing) emails sent asking their customers for data;
- 9% had customers impersonated (e.g. after identity theft); and
- 6% have suffered a confidentiality breach.
While 77% of UK companies say that protecting customer data is a very important driver of their information security expenditure, many companies are simply not doing enough to achieve this goal:
- 10% of websites that accept payment details do not encrypt them;
- 21% of companies spend less than 1% of their IT budget on information security;
- 67% do nothing to prevent confidential data leaving on USB sticks;
- 78% of companies that had computers stolen had not encrypted their hard drives; and
- 79% are not aware of the contents of security standards BS 7799/ISO 27001.
While security is important it’s crucial to set a balance between what is a threat and what’s hype. Last time we seem to remember that the key threat for security was the iPod, it’s 60Gb hard drive was ripe for industrial espionage, but I don’t think we can recall a single instance of anyone using one, this time it seems like it’s the USB memory stick. Yes someone will steal some information using a USB key, but the cost to prevent a loss like this is prohibitive and is just not feasible for most businesses.
