Security breaches resulting from identity management flaws are rising and creating huge problems for businesses, research shows.

Identity management breaches affected one in 10 large companies last year, and half of them said it was their worst security problem of the year, according to the Department of Trade and Industry's biennial Information Security Breaches Survey 2004.

The identity management part of the survey, sponsored by Entrust, found that confidentiality breaches tended to cause long term disruption to businesses, with 15 per cent of those that had been hot, reporting problems that lasted a month or longer.

'If you compare the problem of identity management to viruses, it's not growing as fast so the number of organisations that have had a major breach resulting from identity management is not as large,' said Chris Potter, the PricewaterhouseCoopers partner leading the survey.

'However, the large sting in the tail is that when people suffer financial fraud, theft or disclosure of confidential information, these breaches tend to be very, very significant to their business,' he said.

Confidentiality breaches resulted in the largest amount of staff time required to remedy the problem, at 10 to 20 man days. They also resulted in the largest monetary loss with 15 per cent costing £100,000 in legal fees, investigation costs and fines.

The survey found that companies are at least in part bringing the problem on themselves.

Some 87 per cent of respondents admitted to relying solely on user ID and passwords to identify users, while 7 per cent confessed to having no protection at all.

'Passwords are overwhelmingly the way people authenticate,' Potter said. 'There are really only early adopters using that have moved to strong authentication, and they tend to be in larger organisations.'

In addition, companies are being too lax when to comes to allowing staff to share passwords, and are not adding new staff fast enough to systems when they join, or perhaps more dangerous, removing access when they leave.

The research found that just two per cent of companies use biometrics to authenticate users, which is considered to be very strong authentication.

Contrary to popular belief, the majority of these identity breaches are not coming from inside internal sources.

According to Potter, 80 per cent of attacks are now being generated from external sources.