UK firms still don't get security

Viruses, hackers and spam are a growing problem for UK firms because many are failing to pay enough attention to IT security, according to the DTI Information Security Breaches Survey 2004 (ISBS 2004), which was published on Tuesday.

ISBS 2004 found that the majority of companies spend less than 1 percent of their IT budget on security systems. This, according to the authors of the report, isn't enough to guarantee effective security.

"This really needs to shift upwards if businesses are to protect themselves properly going forward," said Chris Potter, information security assurance partner at PricewaterhouseCooper.

ISBS 2004 also found that many companies have failed to improve their performance on IT security issues that were flagged up in a previous survey in 2002.

For example, fewer than one in ten companies have tested their disaster recovery plans to see if they actually work.

"This is a shockingly poor result, given the post-9/11 furore about contingency plans and disaster recovery," said Potter.

According to one antivirus vendor, there is still plenty of education to be done with smaller British companies about the importance of IT security.

"Some firms think that spending less on IT security is a good thing. They need to think about the return on investment, and assess the cost of their systems being offline for an hour or a day," said Roger Levenhagen, Trend Micro's managing director for UK and Ireland.

ISBS 2004 also found that only one in ten companies employ staff who have formal IT security qualifications, and that just one in two corporate wireless networks have specific security controls.

Most firms also believe that IT security problems are set to increase. Just 10 percent of large businesses said they expected fewer security incidents during the coming year, compared to 75 percent who predicted more -- a pessimistic view that the government shares.

"Things are going to get worse before they get better," warned a DTI official.