|
A government-backed report into information security incidents in British business has revealed that the average number of companies reporting such incidents has fallen since 2004. This may indicate that the business community is starting to win its war against malicious attacks in a world where information technology has become firmly embedded into the business environment.
Over three-quarters of British businesses declare security to be one of the top concerns even at management and board level. This has translated itself into better security practices with many more companies establishing their own formal security policy. An average spend by companies of 4-5% of the IT budget on security has also improved the situation. This now means that 98% of companies have antivirus software installed, compared with 93% two years ago. A more responsible approach has also led to better updating practices with 80% of businesses updating antivirus signatures within a day, in comparison with 59% in 2004.
All this has led to a marked downturn in the number of information security incidents suffered by companies. The overall figure of 62% of businesses having a security incident in the last year is well down on 74% two years ago. The number of actual malicious attacks has also dropped to 52% from a high of 68% in 2004. Infections by viruses also seem to have dropped off, as 35% of companies have reported this type of breach in 2006 in comparison with 50% in 2004.
Not everything is as rosy, though: the report suggests that the median number of security incidents has risen considerably in the past two years. A large minority of companies do not employ any anti-spyware software, while security updates are not installed as quickly as they should be. While the number of companies updating their antivirus software within a day of release of new signatures is relatively high at 80%, only 64% of businesses update their operating systems in the same timeframe. There is also a large minority of 12% that do not apply security patches for a month or longer, leaving them open to any attacks. Most probably these tend to be small businesses that do not have specially-trained IT staff. This is demonstrated by the fact that while 88% of companies overall had no formally trained staff responsible for information security, this number dropped to 71% for large businesses.
This disparity may be responsible for the rise in costs of dealing with security incidents overall, while average "clean-up” costs for large companies actually decreased. The total cost to businesses of the worst security incident now ranges between £8,000-17,000, up from £7,000-14,000 two years ago. For large businesses the lower average level has remained at £65,000 and the higher dropped from to £130,000 from £190,000.
Overall the security outlook seems to be much brighter than even two years ago, thanks in no small part to improved practices and professionalism, but, as usual, more still needs to be done.
|
