DTI survey uncovers security complacency

An influential study sponsored by the Department of Trade and Industry has painted a widespread picture of complacency and lack of security awareness among UK businesses.

The survey of 1000 firms across British industry, released today, has revealed that 60 per cent of companies interviewed have suffered a security breach within the past two years. Alarmingly, almost two in three companies with an "extremely serious" breach maintained "nothing has changed" since the breach occurred.

The survey, which found that one in three firms trade over the internet, shows UK businesses' ignorance and complacency about the importance of security to ebusiness. More than four in five businesses with external electronic links do not use any firewall protection and 59 per cent of those with a website do not use website protection.

Against this organisations reported that security breaches cost from between £20,000 to well in excess of £100,000.

The principal cause of security breaches, representing two in five cases, was human error - highlighting that security best practice goes deeper than technology alone. Chief among these shortcomings was a failure to undertake risk assessment - only one in seven organisations has a formal information management security policy in place.

Deri Jones, managing director of security testers NTA Monitor, said security awareness in organisations varies enormously with a percentage of firms leaving themselves "wide open".

"Many organisations have spent money on firewalls and any problems encountered are due to oversights," said Jones. He added that internet security is still a relatively young market.

"There has been a rush since the start of the millennium to get ecommerce projects live, and some organisations are finding that it's much harder to get security back. It's much easier to put it into the project in the first place," he said.

The full findings of the DTI's Information Security Breaches Survey 2000 (ISBS 2000) will be released at Infosecurity Europe 2000 on 11 April at Olympia in London.

Patricia Hewitt, the ecommerce minister, said: "The consequences of security incidents can be disastrous but they are avoidable."

There were however some signs that the Government's message was getting through. The vast majority of organisations interviewed had virus protection and password controls.

Bob Brace, global vice president Nokia Internet Communications, which managed the survey along with Axent Technologies, said: "As an industry we have to raise awareness of the issues involved without causing panic. We need to remove the fear of doing business in a wired world, but not remove the paranoia."

The full findings of the DTI's Information Security Breaches Survey 2000 will be released at Infosecurity Europe 2000 on 11 April at Olympia in London.