Security report sponsorship defended

This year's DTI Information Security Breaches Survey has found that the cybercrime threat is growing. But should it be sponsored by companies who sell security products?

PricewaterhouseCoopers has defended vendor involvement in a major survey into IT security conducted on behalf of the Department of Trade and Industry.

Although the biennial Information Security Breaches Survey was commissioned by the DTI, the main sponsors of the report are Microsoft, Symantec, Entrust and Clearswift.

Symantec, Entrust and Clearswift all sell security products and services, while Microsoft is gearing up to launch its OneCare security package in June.

Some observers have questioned whether a UK Government survey should be sponsored by those have a vested interest in the results. Experts have also queried why the government needed to obtain private funding for the survey, given the importance of IT security.

"You would think they could afford to do it all by themselves," said Cambridge University security expert Richard Clayton last week.

PwC denied on Monday that the sponsorship of the report undermined its impartiality.

"Every effort has been made to ensure the report is as unbiased as possible," said Andrew Beard, the director from PwC who lead the survey. "Companies that are independent have been involved, and it was vital the survey should be as impartial as possible," he said.

Microsoft insisted that the report would help enterprises to make more informed security decisions.

"Microsoft has a vested interest in making business more secure. How else would business be secure if not for [the input of experts]?" said Microsoft UK's chief security advisor Ed Gibson.

"The report is a good offering to use as a means to ensure systems are up-to-date. The report gives a good roadmap to show businesses [in] which direction they should be asking questions," Gibson added.

Last month, a spokesman for the DTI told ZDNet UK: "It's our survey, but we don't have control over third-party endorsements. There's lots of stakeholders you would consult, and the big players need to be involved. The bottom line is that this is a DTI survey, and the DTI sponsored it."

But, as Clayton pointed out, such surveys aren't always as useful as the company's behind them claim.

"Unless you put in some extraordinary efforts, only the people with nothing better to do will respond; which tends to create a bias towards large organisations and towards those who have something exciting to report, though if they don't trust the anonymity, then the more exciting stuff isn't discussed," Clayton told ZDNet UK.

"They can also have a serious problem with definitions. 'Do you have a virus problem? — Yes' can mean — 'I saw some incoming emails with copies of Sober.o in them', or 'The kids of some idiot in Marketing infected their laptop' to 'I cannot seem to nail down where the pool of infection is, but we keep getting hit by Netsky variants' to 'I've been thinking of installing antivirus software, but I'm spending too much time firefighting', said Clayton.

"And 'Are you being attacked? — Yes' can mean anything from they found some ping traces in their firewall logs, to someone ram-raided the front office and when they were tidying up they found some hardware keyboard sniffers had been installed on the chief executive's machine,'" Clayton added.

Over 1,000 companies took part in the 2006 DTI Information Security Breaches Survey. It found that there was a rise in the number of companies that reported an attack on their Internet or telecommunications traffic over the course of 2005.

The survey also found that Internet telephony is increasingly being taken up by enterprises. Thirty-one percent of large businesses have adopted VoIP and more are planning to use it over the next year, according to the survey. Half of the businesses that have implemented VoIP did so without evaluating the security risks.

"It's better not to retrofit VoIP security," said Beard. "Without looking at the security implications of VoIP, businesses won't know how they've been exposed."

The full results of the survey will be launched at InfoSecurity Europe which is being held in London, on 25-27 April.