One in five of the UK's larger companies suffered security breaches of their IT systems in the past year because of weaknesses in their approach to identity management, according to the preliminary findings of a survey to be published next month.
For one in ten, the breach was significant, and half of all those affected said the breach was more serious than virus incidents, found the Information Security Breaches Survey, conducted by a consortium led by PricewaterhouseCoopers for the DTI, and covering more than 1,000 UK companies.
Unauthorised access to IT systems caused significant business disruption, lasting more than a month in 15 percent of the cases, and took on average 10 to 20 days to investigate. These breaches also incurred the biggest direct cash cost of any security incident -- more than £100,000 in legal fees, investigation costs and fines in 15 percent of cases.
Companies' access controls are failing to prevent these incidents, the survey found. "The first root cause is that often the sheer number of users and systems puts user administration processes under strain," write the authors. To counter this, companies are increasingly automating their processes for granting access to systems. Sixteen percent of all companies and 31 percent of large ones do this. Automating user provisioning appears to work. None of the respondents that had done this had suffered financial frauds or systems penetration from outside in the past year.
The second root cause is over-reliance on passwords to check users' identity. Some 87 percent of all companies rely solely on user IDs and passwords, and 7 percent have no controls at all. Businesses that adopt single sign-on without strong authentication had a higher-than-average incidence of unauthorised access.
Tokens, smart cards and biometrics are only used in 6 percent of companies. This rises to roughly a quarter for large businesses. The latter seem to be reaping the benefit with just 3 percent suffering from an unauthorised access breach, compared to 20 percent for those that haven't adopted these levels of authentication.
The report is sponsored by Entrust, which produces identity and access-management solutions that include tokens and smart cards.