British businesses have made significant progress over the
last two years towards tightening up the security of their IT systems, but many
are still badly equipped to deal with the rising threat from organized criminals
who are moving online.
That's one key finding from the 2006 Information Security
Breaches Survey, carried out by PricewaterhouseCoopers for the Department of
Trade and Industry and published on Tuesday.
The survey found evidence that businesses are paying more
attention to security risks, through buying security products and by writing and
enforcing policies, and this appears to be bearing fruit.
The number of companies falling victim to a malicious
security attack dropped to 52 percent this year, compared to 68 percent in 2004,
and three times as many companies have a security policy today compared to six years ago.
Alun Michael, DTI minister for industry, told journalists at
the Infosecurity show in London that he saw "encouraging signs that security is
now being treated as an important business issue".
"We may now have got on top of the problems of the late
1990s, when virus writers got the upper hand over us. But we are now at the
start of a much darker era, where organized criminals are involved, not spotty
teenagers," said Michael.
Michael said he is also concerned that small businesses and
home users will be badly affected if the security industry failed to provide
easily accessible products to protect against the latest malware.
"My challenge to vendors and purchases is this: how can we
make security more accessible to the inexperienced user, and avoid security
solutions that exacerbate the digital divide?" said Michael, warning that
otherwise, "the peasants outside the castle in their huts will be the first to burn."
Jeremy Ward, director of services development at Symantec,
which co-sponsored the report, said that companies and individuals were threatened by a new
breed of code which he dubbed "modular malware". These are programs so small
that they can avoid being detected by antivirus software. Once installed on a
computer or network, they will attempt to install more malicious code.
"We call this crimeware," said Ward. "It's following the
money and targeting online gambling sites and banks--where the money is."