UK businesses are failing to adopt the security controls needed to protect their customers' information, according to findings from the 2006 Department of Trade and Industry's biennial Information Security Breaches Survey, conducted by a consortium led by PricewaterhouseCoopers LLP. The full results of the survey will be launched at Infosecurity Europe in London, 25-27 April.
The survey showed that increasing volumes of business being conducted online have raised the priority given to protecting customer data. Most large organisations appear to have adopted best practice regarding network and data security and 78 per cent of those who accept financial transactions now encrypt the data they receive to ensure its confidentiality and integrity. However, smaller firms are less likely to provide the required protection; fewer than a third encrypted the data they received.
Nine-tenths of respondents recognised that protecting customer information was important or very important and a strong justification for security expenditure. This has become one of the biggest drivers for IT security spending.
While adoption of traditional security controls such as firewalls is high, newer technologies are being adopted faster than the controls to protect against their misuse. Protection of wireless networks has improved since 2004, but many small firms are still not adopting strong controls.
Firms are not considering the security implications of adopting Voice Over Internet Protocol telephony (VOIP). Despite widespread publicity, only half have evaluated the security risks; as VOIP enables a channel to be opened through the firewall, it needs to be managed correctly to ensure the risks are limited.
Key findings from the telephone survey of 1,000 companies include:
- Increasing volumes of online business are raising the priority given to protection of customer data. 90 per cent of firms considered this important or very important, and a strong justification for security expenditure.
- There was a rise in the number of companies that reported an attack on their internet or telecommunications traffic. Over a quarter of those affected by attempts to break into their networks said they suffered at least one significant attempt every day.
- The businesses attacked tended to be those that accept financial transactions online. All the websites that accept financial transactions are behind a firewall.
- Fewer than two-thirds of websites accepting financial transactions encrypt the data they receive. In contrast, every transactional website run by a very large respondent uses encryption.
- Controls over authorised wireless networks have improved. The number of unprotected networks has halved since 2004, however there is no room for complacency: one in five firms still lacks any controls.
- Few small businesses use VOIP telephony and 31% of large businesses have adopted VOIP and more are planning to use it over the next year. Half of the businesses that have implemented VOIP did so without evaluating the security risks.
These findings are published in a factsheet - 'Trustworthy Networking' - sponsored by Microsoft.
Andrew Beard, the director from PricewaterhouseCoopers LLP leading the survey, said:
"It is encouraging that companies recognise the value of secure e-commerce to their business, however some still have work to do to put secure controls in place to satisfy their customers. Somewhat worryingly, the number of attacks on websites is rising and half of the attacks reported by
respondents were described as serious.
"Clearly it is important that companies review the controls they have in place and ensure sensitive information is protected and encrypted. As more and more businesses adopt VOIP technology, it is imperative that they also consider the risks associated with this new technology and don't leave anything to chance."
Ed Gibson, chief security advisor, Microsoft UK, said:
"Ecommerce provides infinite opportunities for UK businesses, but also provides opportunities to criminals targeting business networks for financial gain. Online transactions can be secure today with the right levels of protection; as long as organisations and end-users use security best practice and the technology tools available to them. The ISBS survey highlights that although progress is being made, UK businesses still need regularly review and reassess their security status to continue to increase customer confidence online."