The DTI Information Security Breaches Survey 2004 (ISBS) is the UK's leading source of information on security incidents suffered by businesses, both large and small.
One of the most surprising statistics to emerge from this year’s DTI survey is that 7% of UK organizations are yet to implement any form of anti-virus software. Almost equally disconcerting is the fact that 41% of businesses do not immediately update their anti-virus software when a new virus signature is identified.
ISBS illuminates the ever-present danger of viruses, unauthorized access, systems misuse, fraud and theft. With 90% of UK computer users frequently sending emails and browsing the web as a normal part of their working day, this increased connectivity to ‘the outside world’ is also attracting a deluge of unsolicited email or spam that is undermining the efficiencies of electronic communication. Two-thirds of large companies with sophisticated IT security systems admitted that their defenses were breached by an email-borne virus at least once in the last year.
The average UK business experiences at least one ‘security incident’ per month, and for larger companies, the figure is closer to one incident per week. Perhaps, for the 7% with their heads still buried in the sand, ignorance is bliss as most have no idea how susceptible they are, and how many attacks they fall victim to - until they consider the monetary cost.
For a medium-sized business, the average cost of each security incident is £10,000, which is mainly attributed to systems downtime and lost productivity. However, the figure escalates with the size of the organization, with larger firms reporting an average cost of around £120,000 per incident. As central and local government organizations upgrade IT infrastructure to improve inter-departmental collaboration and government-to-customer communication, the risk of exposure to viruses and malicious attack grows.
A few years ago, there were very clear lines of distinction between the private and public domain. Generally, organisations would post a website populated with innocuous content as a two-dimensional electronic façade to the outside world. However, electronic ‘brochureware’ is being replaced by sophisticated, interactive websites that deliver a more personalized online experience to visitors.
The technology is available to deliver single login access to various business-to-consumer and government services. It can also enable remote, wireless access to server-based data. In addition to providing more convenient ways for customers to communicate with organizations, the new gateways are particularly useful for staff seeking more flexible working arrangements, such as being able to work from home. It also enables public and private sector organizations to introduce mobile computing by putting PDAs in the hands of field service staff.
Extending and blurring the boundaries of computing brings new security challenges. Many organizations’ security is like a soft-boiled egg. The firewall provides a shell, which is supposed to protect all internal networks and data. However, once the defense is cracked, the intruder is free to access the soft, GUI centre of the organization’s data repositories. ISBS reveals that three-quarters of in-house websites have a firewall, but half of these sites rely on the firewall as the sole defence.
What can be done?
Organizations need to move from the soft-boiled egg defense to a multi-layered strategy, which provides different levels of access to employees and customers depending on their security clearance.
Once a multi-layer defense is in place, there are three steps to maintaining an effective security strategy: