British businesses have made significant progress over the last two years towards tightening up the security of their IT systems, but many are still badly equipped to deal with the rising threat from organised criminals who are moving online.
That's one key finding from the 2006 Information Security Breaches Survey, carried out by PricewaterhouseCoopers for the Department of Trade and Industry and published on Tuesday.
The survey found evidence that businesses are paying more attention to security risks, through buying security products and by writing and enforcing policies, and this appears to be bearing fruit.
The number of companies falling victim to a malicious security attack dropped to 52 percent this year, compared to 68 percent in 2004, and three times as many companies have a security policy today compared to six years ago.
Alun Michael, DTI minister for industry, told journalists at the Infosecurity show in London that he saw "encouraging signs that security is now being treated as an important business issue".
"We may now have got on top of the problems of the late 1990s, when virus writers got the upper hand over us. But we are now at the start of a much darker era, where organised criminals are involved, not spotty teenagers," said Michael.
Michael said he is also concerned that small businesses and home users will be badly affected if the security industry failed to provide easily accessible products to protect against the latest malware.
"My challenge to vendors and purchases is this: how can we make security more accessible to the inexperienced user, and avoid security solutions that exacerbate the digital divide?" said Michael, warning that otherwise, "the peasants outside the castle in their huts will be the first to burn."
Jeremy Ward, director of services development at Symantec, which co-sponsored the report, said that companies and individuals were threatened by a new breed of code which he dubbed "modular malware". These are programs so small that they can avoid being detected by antivirus software. Once installed on a computer or network, they will attempt to install more malicious code.
"We call this crimeware," said Ward. "It's following the money and targeting online gambling sites and banks — where the money is."