Companies urged to do more to keep out cyber-vandals
A government survey has found that the number of times cyber criminals have broken through the defences of businesses has doubled in 12 months.
Despite the escalating threat from such web-based security problems, the survey found that businesses are not spending or doing enough to protect themselves from harm.
The report puts the average cost of each serious security breach at £30,000. The most serious incidents could cost up to £500,000 to fix and take days to repair the damage.
Damage assessment
The 2002 DTI Information Security Breaches survey found that 44% of all businesses questioned had suffered a malicious security incident or breach in 2001, almost double the 24% who reported suffering breaches in 2000.
"Businesses with a website connection or an internet gateway are almost perpetually under attack," said Chris Potter, partner at PricewaterhouseCoopers, which helped analyse the survey results.
Unlike many other surveys, the DTI report only counts an incident as such if it succeeds in causing damage.
The survey also found that, despite the growing number and sophistication of attacks, many businesses were not spending nearly enough cash to protect themselves.
Security investment
Only 27% of those questioned are spending more than 1% of their total technology budget on security.
Experts estimate that businesses should be spending 3-5% as a minimum and perhaps as much as 10% in high-risk areas such as financial services.
Mr Potter said many businesses saw security as an overhead rather than an investment. Even worse, he said, very few companies measured whether the money they spent on improving security had the desired effect.
"There's a lot of fire-fighting expenditure," he said, "so when there is an incident they fork out protecting themselves so it doesn't happen again rather than think about the level of spending they should be making."
Mr Potter said that one of the big changes since the 2000 survey was the neglect of staff training.
"Where people are spending money on security it seems to be around technology," he said. "They take a fairly narrow information technology view of security rather than as a part of a strategy to embed a security culture within an organisation."
Fewer organisations are now telling employees about responsible use of e-mail, the web and passwords.
Even fewer were educating support staff to spot and deal with malicious hackers that try to trick them into revealing key information about a company's computer systems.
But Mr Potter said the news from the survey was not all bad.
The number of incidents over the 12 months covered by the survey had made many organisations realise how important it was to protect themselves against attack, he said.
The full report will be published at the Infosecurity show being held at London's Olympia from 23-25 April.