Data security is better, but industry can’t afford to be complacent
1 min read
Confidential data remains at risk, despite increased business awareness, according to a survey by a consortium, led by PricewaterhouseCoopers, on behalf of the Department for Business, Enterprise & Regulatory Reform (BERR).
It finds 81% of boards giving a high or very high priority to information security, and a real improvement in controls, particularly in basic disciplines such as anti-virus and backups. Indeed, the average spend by companies on security defences has tripled over the last six years, resulting in the overall cost to UK plc of reported security breaches dropping by a third.
However, PWC says that, despite this reduction, the annual cost of security breaches to companies still runs into several billions of pounds.
Also, the survey shows that many companies still remain exposed to loss of confidential data. It finds, for example, that 80% of companies that have computers stolen have not encrypted their hard drives, while two-thirds do nothing to prevent confidential data leaving on USB sticks.
Business minister Shriti Vadera says: “New technology is a key source of productivity gains, but without adequate investment in security defences, these gains can be undermined by IT security breaches. The survey shows increasing understanding by business of the opportunities and threats, but challenges remain.W
Chris Potter, PWC partner who led the survey, adds: “There are still some fundamental contradictions. Some 79% of businesses believe they have a clear understanding of the security risks they face, but only 48% formally assess those risks.
“Also, 88% are confident that they have caught all significant security breaches, but only 56% have procedures to log and respond to incidents. The survey also shows 71% have procedures to comply with the Data Protection Act, but only 8% encrypt laptop hard drives.”
Meanwhile, PWC director Andrew Beard warns: “It would be easy for companies to look at the drop in incidents and become complacent. This response would be dangerous. Attitudes and controls in some companies mean that incident statistics are probably understated.
“For example, companies that carry out risk assessment are four times as likely to detect identity theft as those that do not. In addition, the average seriousness of incidents has increased, so roughly a quarter of companies had a serious breach – which is the same as in 2006.”
He advises companies to think about the future proactively. “It’s a bit like the difference between battening down the hatches when a hurricane comes, and taking steps to combat climate change. Businesses need to respect the opportunities that e-commerce represents, but also consider their duty to protect its users in the long term future.”
