The average British business is now hit by a security incident every month, or once a week for larger companies, according to the Department of Trade and Industry's (DTI) bi-annual security survey, published this week.
The survey of 1,000 companies, completed in January by PricewaterhouseCoopers-led consortium, found that security problems are now an issue faced by the majority of UK businesses, with nearly all large companies affected. Businesses haven't yet adjusted to this new reality, however, and suffer from inadequate security training and overconfidence in their security systems, the survey found.
The lack of adequate concern about security is reflected in spending, which is below the mark considered reasonable by industry observers. In a separate study also released this week, IDC found that security spending was roughly on par with expenditure on printers.
The majority of UK companies - 74 percent - have had a security incident in the past year, rising to 94 perecnt for large companies, the DTI survey found. That figure includes accidents such as system failures and data corruption; but malicious incidents are now far more common than accidents, with 68 percent of all companies (91 percent of large businesses) suffering at least one malicious attack in the past year. In 2002, only 44 percent had been purposefully attacked, and in 2000 the figure was just 24 percent.
"If you go back some years, accidental incidents far outweighed malicious incidents. Now more than twice as many companies had malicious incidents as accidental ones," said Chris Potter, the PwC partner who led the survey.
Most malicious attacks were caused by viruses or inappropriate usage of IT systems by staff, with the average cost of an organisation's most serious incident about £10,000 to £120,000 for large companies -largely due to disruption to a company's operations. Some companies suffered disruption for more than a month after an attack, Potter said.
The upshot for businesses is that security is now an issue requiring increasing investment, Potter said: "With security, as with everything else, the issue is one of cost versus benefit. What we have seen here is that the trend of incidents is unfortunately upwards, so the cost to UK businesses is continuing to rise."
In response, companies are now more likely to have a security policy in place. Three-quarters said they were confident the measures they had instituted good enough security measures, although in reality, less than half of the companies surveyed actually had effective security measures, Potter said. "We feel there is the problem of overconfidence, due to people not fully understanding the risks they're running," he said.
A skills gap appears to be contributing to the problem, with 11 percent of companies having staff with formal security qualifications. "It's important to realise that qualifications are only one way of measuring expertise. But if you look at some of the other figures in the survey, they expose a skills gap in many businesses," Potter said.
One example, Potter said, was that only 12 percent of the individuals responsible for a company's security were aware of the contents of the BS 7799 standard for information security - a figure that hasn't increased in the past two years.
The UK government praised businesses for making progress at integrating security into their businesses. "It is encouraging to note that information security remains a high priority at board level," stated e-Commerce Minister Stephen Timms, whose department sponsored the research. "More companies than ever have a security policy in place and those that have adopted BS7799 have found it has yielded real benefits."
Participants in the DTI survey were spending an average of three percent of their IT budget on security, up from two percent in 2002; industry observers consider five to ten percent a reasonable benchmark level. These figures tally with an IDC study released this week, which also pegged spending at less than five percent of IT budgets.
IDC expects security expenditure worldwide to hit $48 billion this year, still just 4.8 percent of overall IT spend, and about on par with the $43 billion annual spending on printers and multifunctional peripherals. The figure will rise to seven percent of the overall IT budget by 2007, IDC said.
Mobile and wireless security spending will grow more quickly, rising 71 percent a year to $1.27 billion in 2007, IDC said.