Security of WiFi networks, VoIP systems and USB devices remain to be addressed by many organisations, according to a survey by the National Computing Centre.
It finds that virtually all organisations are now working on external IT security threats, with measures such as virus detection, spam blocking and firewalls – but that the more advanced threats aren’t getting the attention they need.
The NCC Benchmark of IT Strategy 2007 which examines current trends in IT strategy among end-user organisations, reveals that 40% of respondents have only partially secured their wireless networks, or not secured them at all – and that only 15% of respondents have implemented VoIP security.
Stefan Foster, managing director of NCC, warns that, while he is encouraged to see the widespread adoption of Internet security, organisations using unsecured WiFi must act quickly to close this security liability.
“Running unsecured WiFi is like locking the front door, but leaving the windows open. Fraudsters are increasingly targeting IT systems and the growing use of WiFi is attracting their attention both inside and outside of the office environment. Unsecure wireless is putting organisations and those who interact with them at unnecessary risk.”
As for laptop systems, he says that following recent news stories, it is not surprising that protection of data on laptops is growing – with 20% of respondents reporting security currently implemented and more than 20% reporting it under development or planned.
However, he suggests that the proliferation of small, high capacity USB data devices has introduced a serious security liability. Which is a worry, given that the NCC survey shows nearly 75% of respondents recognising that this liability will need to be addressed, but only 11% having fully implemented controls on USB/data writing devices on the desktop.
“Much IT related crime comes from within an organisation, so it is alarming that 25% of respondents indicated that formal security training for end-users was ‘not relevant’ or ‘not considered’, and only 40% indicated end users security training was fully or partially implemented,” says Foster.
Other findings:
Just over 60% of respondents reported employing some IT staff who are mainly or completely engaged in IT security activities, but more than half of those with fewer than 25 IT staff employed no security specialists.
The median estimated level of expenditure on IT security was 3.3% of total IT spending (including staff and capital costs).
There is rapidly growing interest in authentication procedures – 40% of respondents reported single sign-on access control for end users, but it was under development or planned by nearly 30%.
Free IT security advice and guidance for small to medium sized organisations, provided by NCC, can be found on the IT and eCommerce section of the Business Link website (www.businesslink.gov.uk), where users can also assess their own risks using the online IT Risks Assessment tool (www.businesslink.gov.uk/itrisks)