UK firms treble IT security spend

A survey commissioned by the Department for Business, Enterprise and Regulatory Reform (BERR) has revealed that UK companies are spending three times as much of their IT budget on security as they were six years ago.

The 2008 Information Security Breaches Survey was carried out by a consortium led by professional services company PricewaterhouseCoopers and the results were revealed at the Infosecurity Europe event in London this week. The survey showed that the average UK firm spends 7 per cent of its IT budget on security, compared to 2 per cent in 2002.

During that time the total cost of security breaches to UK firms has fallen 35 per cent, although a quarter of businesses reported a serious security breach in the last two years. The survey demonstrates that companies are becoming more security savvy, demonstrated by the more than 90 per cent that back up critical systems, have implemented spam filters, firewalls, anti-virus and anti-spyware software and have encrypted wireless network transmissions.

55 per cent of firms now have a documented security policy, compared to 27 per cent in 2002, while 40 per cent give their staff ongoing security training, double the amount that were doing so in 2002.

But the survey also reveals many companies have a worryingly lackadaisical approach to other aspects of security. 84 per cent do not check to ascertain whether outgoing email contains confidential information and 78 per cent that had been victims of computer theft did not encrypt hard discs. 72 per cent do nothing to prevent data leaving on portable memory devices, 52 per cent do not carry out a formal security risk assessment and 48 per cent have not tested their disaster recovery plans in the last year.

35 per cent exercise no controls on their staff using instant messaging, 21 per cent spend under one per cent of their IT budget on security and 10 per cent of websites accepting payment details do not encrypt them. Despite the drop in the cost of security breaches to the UK economy, only 17 per cent of businesses expected the numbers of incidents to fall next year.

Parliamentary under secretary of state for BERR Shriti Vadera said: "New technology is a key source of productivity gains, but without adequate investment in security defences these gains can be undermined by IT security breaches. The survey shows increasing understanding by business of the opportunities and threats, but challenges remain."

Chris Potter, partner at PricewaterhouseCoopers, said: "There are still some fundamental contradictions. Some 79 per cent of businesses believe they have a clear understanding of the security risks they face, but only 48 per cent formally assess those risks. Also, 88 per cent are confident that they have caught all significant security breaches, but only 56 per cent have procedures to log and respond to incidents. The survey also shows 71 per cent have procedures to comply with the Data Protection Act, but only 8 per cent encrypt laptop hard drives. Businesses all need to ensure that their defences are sound if they want to continue to enjoy the benefits that technology brings.”