Hacking incidents are increasing, data is not encrypted and viruses are down. These are some key findings from the bi-annual 2008 Information Security Breaches Survey.
The government sponsored survey revealed some 96 percent of large UK businesses have experienced a a security breach.
Some 13 percent of large companies, with more than 500 employees, have detected unauthorised outsiders within their network, found the study by the Department for Business, Enterprise and Regulatory Reform published today (22 April) at the Infosecurity Europe show in London.
The 2008 Information Security Breaches Survey (ISBS) of UK businesses, carried out every two years by PricewaterhouseCoopers, found unauthorised access by hackers is currently four times the level seen in 2000.
Despite improvements in security practices, many companies remain exposed to loss of confidential data. While 71 percent have procedures to comply with the Data Protection Act, only 8 percent encrypt laptop hard drives.
The survey found 78 percent of companies that had computers stolen had not encrypted their hard drives, around 67 percent of companies do nothing to prevent confidential data leaving on USB sticks, and 10 percent of websites that accept payment details do not encrypt them.
Chris Potter, partner, PricewaterhouseCoopers said: "There are still come fundamental contradictions. Some 79 percent of businesses believe they have a clear understanding of the security risks they face, but only 48 percent formally assess those risks.
Also, 88 percent are confident that they have caught all significant security breaches, but only 56 percent have procedures to log and respond to incidents. 81 percent believe security is a high priority to their board, but only 55 percent have a security policy."
The financial impact of IT security breaches has dropped in two years, costing UK businesses in total around £6 billion. This is compared with £10bn in 2006. A significant decline in reported virus infections - down by 60 percent compared with two years ago - has been credited with the overall drop in costs.
But the average cost of each incident has increased. The cost for the company increases relative to the size of the company. For small companies of less than 50 employees, the average cost is between £10,000 and £20,000. But for large companies, the average cost of a security incident is between £1 million and £2 million.
Amongst other findings, although 92 percent of companies surveyed believe that disaster recovery is "an important driver" of their IT spending, over half have no plan or an untested plan. more than a quarter of UK companies do not have a disaster recovery plan, and half of the plans that do exist have not been tested.