Only 1 percent of UK companies use all methods available to control access to their IT systems and prevent security problems. That's according to the Department of Trade and Industry (DTI) which sureveyed a 1,00o companies about their attitudes to security.
A consortium led by PricewaterhouseCoopers conducted The Information Security Breaches Survey and found that large companies reported only a small increase in the number of security incidents from 2004, the last time the survey was conducted. The use of strong authentication techniques, such as hardware tokens and digital certificates, have kept problems at bay.
Businesses using biometric authentication methods reported fewer incidents than those using software-based tokens and certificates alone. But about 80 percent of companies were simply using single-factor authentication such as passwords to protect data and access.
Banks led businesses in implementing two-factor authentication, as they have greater exposure to online fraud, said Chris Potter, information security assurance partner at PricewaterhouseCoopers.
Two-factor authentication can take different forms. For example, one method may require a person's regular user name and password and then ask for an additional, one-time disposal password kept before access is granted to a banking website.
Most companies that aren't using strong authentication said there is no business requirement yet to implement it, Potter said.
"Companies tend to be implementing two-factor authentication when either their risk profile is very high or they've had actual incidents in the past," Potter said.
One in five of security incidents at large companies involved staff gaining unauthorised access to data. The survey said 6 percent of companies suffered from phishing attacks. The survey has already revealed the the high degree of concerns about viruses from UK firms.
Instances of fraud were low, but caused more damage than other breaches, the survey said. Some small businesses reported fraud losses of £10,000 to £50,000 (US$17,500 to $87,300).
The survey's full results will be released at the Infosecurity Europe conference in London next month.