Poor IT security costs British business billions

A government-backed report discovers underinvestment in IT security, and finds that the number of firms suffering serious computer attacks has nearly doubled from two years ago

Hacking and virus attacks are costing British companies billions of pounds a year because firms are failing to spend enough money on IT security, according to an official report due to be released next week.

The government-backed Information Security Breaches Survey 2002 has warned that companies must spend more on security systems. It found that the number of companies suffering a serious security attack in the last 12 months has doubled compared to two years ago, even though bosses now have a greater awareness of the need for effective security.

"Information security has never been a higher priority at the board level. Seventy-three percent of UK businesses -- up from 53 percent in 2000 -- believe information security is a high priority for senior management. However, relatively few businesses are translating this priority into effective action. The UK appears to be suffering from underinvestment in IT security," said the report.

The report, which was undertaken by PricewaterhouseCoopers in collaboration with security firms such as RSA Security and Symantec, warns that security incidents cost UK business several billion pounds during 2001.

It found that 44 percent of UK businesses have suffered at least one malicious security breach in the last year, nearly twice as many as in 2000. The average cost of such an incident was £30,000.

Several security breaches caused more than half a million pounds worth of damage, yet many companies haven't even implemented an official security policy or given sufficient attention to insurance policies.

The survey found that only 27 percent of UK businesses have a security policy -- an indication that in many firms the concerns felt at a senior level about IT security are not being transmitted into action. "A security policy represents the most basic discipline in information security. Yet, nearly three-quarters of UK businesses have still not set out their policies in respect of information security and communicated them across the organisation," warns the report.

Insurance is also a concern. While 8 percent of companies have specific IT insurance and 37 percent are covered by their general policy, 27 percent have no cover and 30 percent simply don't know if their general insurance would cover damage caused by a hacker or a virus.

There is increasing concerns that many UK firms are failing to protect themselves against malicious attacks. Antivirus firm Mcafee warned last week that companies are running the risk of network failure and expensive downtime the next time there is a major virus attack, because they have not given sufficient attention to security management.

The survey took place between October 2001 and January 2002. It involved 100 face-to-face interviews and 1,000 telephone interviews, as well as an online questionnaire.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.