Security spend triples, breaches fall 30 percent

A UK government-sponsored security survey reports that security breaches have fallen by a third in the past two years but spending on security has increased significantly.

The latest Information Security Breaches Survey, published on Tuesday to coincide with the first day of the Infosecurity Europe conference, revealed that IT managers and board-level executives are trying to keep their organisations secure, with some success. According to the survey, the number of security breaches has fallen by a third in the past two years.

However, the survey also reports that, overall, the average spend on security defences by companies and organisations has almost tripled over the past six years.

Despite the relatively good news, the report warns that companies and organisations are still leaving themselves open to attack. According to the report, four-fifths of companies that had had a computer or laptop stolen did not have the data on the computer encrypted. In addition, two-thirds of companies allow employees to remove data on unsecured USB sticks.

According to Chris Potter, a partner in PricewaterhouseCoopers and a survey team leader, "there are still two fundamental contradictions" exposed by the report. "Some 79 percent of businesses believe they have a clear understanding of the security risks they face, but only 48 percent formally assess those risks," he said. "Also, 80 percent are confident that they have caught all significant security breaches, but only 56 percent have procedures to log and respond to incidents."

According to the report, "over the last six years the security landscape has changed dramatically". The survey details many of the improvements in security made by companies across the UK, including the following statistics:

• Ninety-eight percent of companies now have software to scan for spyware
• Ninety-four percent of wireless networks are now encrypted (versus 47 percent in 2002)
• Fifty-five percent have a document security policy (versus 27 percent in 2002)
• Fourteen percent use strong (that is, multi-factor) security authentication

On the other hand, to pay for this relative success in spreading awareness, expenditure on information security has risen from two percent to seven percent of IT budget since 2002, according to the survey.

The survey was produced by a consortium led by PricewaterhouseCoopers and the Department of Business, Enterprise and Regulatory Reform (BERR), and is carried out every two years.

Survey sponsors claim it is independent, yet it is financed by major IT and security vendors such as Symantec and HP, who sell software to the security market.

However, PricewaterhouseCoopers's Potter rejected any suggestion that the involvement of security vendors made the report less independent.

"We are looking at every aspect of the report all the time to ensure that it is accurate and independent," he told ZDNet.com.au sister site ZDNet.co.uk. "Also, there is a long list of independent organisations who have checked out the survey and given us their comments on what is said." He said it was the equivalent of peer reviewing in academia, where researchers get the opportunity to review and comment on their colleague's research.

Organisations that have reviewed the survey include the government parliamentary body, Eurim; the Jericho Forum; the National Computing Centre; the Information Security Awareness Forum; and the government campaign, GetSafeOnline.

"These organisations would not lend their name to it unless they were happy that it showed a true and independent picture," said Potter.