One in three companies still have no security policy

More than a third of UK companies still do not have information security policies and are failing to protect themselves from security risks such as loss of finance, intellectual capital or reputation.

The findings in consultancy Ernst and Young's second global Information Security Survey, which gathered responses from 4300 senior IT professionals in 35 countries (including 500 from the UK) revealed that only 57 per cent of UK firms have information security policies and procedures in place.

Only 29 per cent use a security risk management methodology to identify assets and scale controls.

This is despite years of warnings from organisations such as the British Standards Institute and the Department of Trade and Industry's IT Security Evaluation & Certification (Itsec) scheme.

Other findings among UK respondents showed that only 32 per cent of respondents who believed the Internet offered them new business opportunities, expressed security concerns, and some 33 per cent of respondents who suffered an external hacking attack did not have a firewall installed.

Only 27 per cent undertook security awareness training, yet 76 per cent regarded it as very important.

Despite this slackness over security, half used the Internet to transmit important financial information and 40 per cent planned to use ecommerce within the next two years.

Jan Babiak, partner and head of UK information systems assurance & advisory services at Ernst & Young, said: "In a number of industries, doing business over the Internet is being likened to the new Industrial Revolution. The stakes are high, there's everything to play for and consequently, everything to lose."

The millennium bug is an area for particular UK concern, according to the survey. Although the UK leads the rest of Europe with continuity planning, only 51 per cent of UK respondents have plans in place. Of those, only 17 per cent said it was based on a recent business impact analysis - potentially impacting on recovery plans after a Year 2000 disaster.

Of the 40 per cent of respondents who developed business continuity plans, only 18 per cent tested them.

Babiak added: "The failure of businesses to manage risk may simply be because they are unaware of the high levels to which they are exposed. The survey reveals a worrying trend among UK management generally as to who should act now to put the appropriate security measures in place before they risk financial loss."