28 April 2004 More and more British businesses are being hit by IT security breaches, with the average cost of each incident estimated at about £10,000 — rising to £120,000 for major organisations.
That is the conclusion of the Department of Trade and Industry’s 2004 information security breaches survey, conducted by consultants PricewaterhouseCoopers (PwC). It found that three-quarters of all business and more than 90% of large organisations had experienced some kind of security incident in the last year.
The report suggests that most businesses in Britain have become Internet savvy with the majority — three-quarters — of organisations of all sizes enabling customers to at least initiate transactions online. That compares with just 13% in the 2002 survey.
However, those organisations are now struggling to deal with the security implications, with UK organisations reporting an average of one security breach per month, while the average big business is hit approximately once a week.
The nature of the problem has changed significantly. We are now dealing with ‘blended’ threats and are now in need of ‘real-time’ solutions,” said Stephen Timms MP, the minister of state for energy, ecommerce and postal services.
However, Timms said that he was encouraged by the number of companies where IT security had become a board level issue. As a result, some action had been taken to start to address the growing threats, he added.
For example, more than 90% of companies now deploy anti-virus software — 99% in major organisations — compared to just 67% in 2000. “But viruses and worms continue to be the biggest challenge,” said Microsoft UK chief security officer Stuart Okin.
Okin was keen to stress that often, end-user organisations were responsible for many outbreaks because many did not keep their anti-virus software up-to-date. Forty-one percent admitted that they did not keep their anti-virus up-to-date.
With virus and worm writers now able to produce ‘exploits’ for flaws within a day of security advisories being produced — compared to six months of more just two years ago — organisations today have to update anti-virus software more frequently than ever.
Furthermore, anti-virus software did not help in the Blaster worm outbreak, which was not email borne. Instead, it attacked vulnerabilities in the Windows operating system.