UK firms spend 'more than ever' on e-security

The full results of the latest Department of Trade and Industry (DTI) 'Information Security Breaches Survey' showed a fall in the total cost of security incidents involving large businesses - by 50% over the last two years.

However, the average number of virus, hacking, spyware and other e-security incidents suffered by small firms in the UK had risen by half to around eight each year.

The study revealed the gap between companies tackling information security and those that were not, was also widening.

Approximately 50% of all UK businesses have security policies in place and carry out risk assessments on information security. However, while the rest may have anti-virus controls they lack "basic security disciplines" and may be "over-confident about the effectiveness of their security controls."

Spending increases

PricewaterhouseCoopers (PWC), which led the survey, also claimed that two-fifths of companies currently spend less than 1% of their IT budget on information security.

PWC's Chris Potter, said: "Overall, UK businesses are more aware than ever of the risks they face from information security breaches, in an environment where threats are on the increase. But some still seem to believe they are immune to the dangers and don't have even basic security controls in place.

"This is particularly worrying as we see new technologies emerging that pose new threats to UK plc. Businesses cannot afford to become complacent."

On a positive front, three-quarters of UK businesses rated security as a "high" or "very high" priority for their senior management or board of directors.

As a result UK companies were spending more on information security controls than ever - on average 4% to 5% of their IT budget, up from 3% in 2004 and 2% in 2002. Three times as many companies now have a security policy compared to six years ago, and 98% of businesses have anti-virus software in place.

'Paying off'

The study also showed that this investment appeared to be paying off, with fewer companies having security incidents than in 2004, when the survey was last undertaken. Overall, 62% of businesses have had a security incident in the past year, down from 74% two years ago.

However, the average cost - principally business disruption cost rather than cash losses - of a UK company's worst security incident was approximately £12,000 - up from £10,000 two years ago. Overall, an indicative estimate of the total cost of security breaches to UK businesses was up by 50% from two years ago, at around £10 billion per annum.

DTI minister Alun Michael, commented: "We commission this survey every two years because knowledge is a vital weapon against the growing scale and sophistication of the threats to security.

"The number of companies affected has dropped slightly since the last survey but there is no room for complacency. The cost of the damage caused by the attacks on security has risen as the nature of the attacks has become more serious.

"That's why it's crucial to have good security in place, which also respects the way that ICT is used within the business so that security is not an inhibitor to effective working."