Security breaches down - but at what price?

A government-sponsored security survey reports that while the number of security breaches has dropped considerably in the past two years, the drop has come at a price.

The latest Information Security Breaches Survey, published yesterday to coincide with the first day of the Infosecurity Europe conference, reveals that IT managers and board-level executives are trying to keep their organisations secure, with some success. According to the survey, the number of security breaches has fallen by a third in the past two years.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

However, the survey also reports that, overall, the average spend on security defences by companies and organisations has almost tripled over the past six years.

Despite the relatively good news, the report warns companies and organisations are still leaving themselves open to attack. According to the report, four-fifths of companies that have had a computer or laptop stolen did not have the data on the computer encrypted. In addition, two-thirds of companies allow employees to remove data on unsecured USB sticks.

According to Chris Potter, a partner in PricewaterhouseCoopers and a survey team leader, "there are still two fundamental contradictions" exposed by the report. He said: "Some 79 per cent of businesses believe they have a clear understanding of the security risks they face but only 48 per cent formally assess those risks. Also, 80 per cent are confident that they have caught all significant security breaches but only 56 per cent have procedures to log and respond to incidents."

According to the report, "over the last six years the security landscape has changed dramatically". The survey details many of the improvements in security made by companies across the UK, including the following statistics:

• Ninety-eight per cent of companies now have software to scan for spyware
• Ninety-four per cent of wireless networks are now encrypted (versus 47 per cent in 2002)
• Fifty-five per cent have a document security policy (versus 27 per cent in 2002)
• Fourteen per cent use strong (that is, multi-factor) security authentication

On the other hand, to pay for this relative success in spreading awareness, expenditure on information security has risen from two per cent to seven per cent of IT budget since 2002, according to the survey.

The survey is produced by a consortium led by PricewaterhouseCoopers and the Department of Business, Enterprise and Regulatory Reform, and is carried out every two years.

Survey sponsors claim it is independent, yet it is financed by major IT and security vendors such as Symantec and HP, who sell software to the security market.

However, PricewaterhouseCoopers's Potter rejected any suggestion that the involvement of security vendors made the report less independent.

Potter told silicon.com sister site ZDNet.co.uk: "We are looking at every aspect of the report all the time to ensure that it is accurate and independent. Also, there is a long list of independent organisations who have checked out the survey and given us their comments on what is said."

Organisations that have reviewed the survey include the government parliamentary body, Eurim; the Jericho Forum; the National Computing Centre; the Information Security Awareness Forum; and the government campaign, GetSafeOnline.

Potter said: "These organisations would not lend their name to it unless they were happy that it showed a true and independent picture."

Original article: Security breaches down, says IT security report from ZDNet UK