Business Force - The DTI report on Security

On the 11/04/2000, the Department of Trade and Industry (DTI) published its report on computer security in the UK. The report is highly critical of attitudes to computer security in the UK:

The report indicates that 60 per cent of companies have suffered a security breach within the past two years, and of those, 64 per cent did not change their security policy after the event.
The survey discovered that only 14 per cent of UK firms have any security at all shows that at a senior management level, there is obviously not enough awareness of the issues.
60% of organisations have suffered a security breach in the last 2 years.
Over 30% of organisations do not recognise that their business information is either sensitive or critical, and therefore a business asset.
Of those organisations that have critical or sensitive information, 43% had suffered an extremely serious or very serious breach, and a further 20% had suffered a moderately serious breach in the last 2 years.
1 in 3 businesses are either already buying or selling over the internet, or intend to start in the near future.
Some good practices are implemented and adhered to by 83% of the organisations interviewed e.g. virus protection and password controls.
Only 37% of organisations interviewed have undertaken a risk assessment where a systematic approach is taken to assess the security risks faced by the organisation.
40% of companies reporting security breaches were due to operator or user error reinforcing the fact that information security cannot simply be solved by technology.
Nearly three quarters of organisations that suffered a breach, which they regarded to be serious, had no contingency plan in place to deal with it.
More than half of the organisations which have suffered a breach that they consider to be their most serious, do not believe that there is anything they could have done to prevent the breaches they have suffered.
Only one in seven organisations has a formal information management security policy in place.
Organisations where responsibility for information security rests at board level are also those most likely to have formal policies in place. The presence of a formal policy is one of the most important issues in reporting and resolving security breaches.
Very few organisations were able to assess the true business implications of the security breaches they had suffered but those that were, indicated that the cost of a single breach was in excess of Ł100,000.
The high profile security issues, such as viruses and passwords are being addressed. However, there is insufficient awareness and understanding of what can be done to combat the more significant risks, particularly those posed by human actions, and those arising from doing business electronically. Often – but not always – information security is seen only as an issue for the IT department which it clearly isn’t. Good information security management is about organisations understanding the risks and threats they face and the vulnerabilities in their current computer processing facilities. It is about putting in common-sense procedures to minimise the risks and about educating all the employees about their responsibilities. Most importantly, it is about ensuring that the policy on information security management has the commitment of senior management. It is only when these procedural and management issues have been adessed that organisations can decide on what security technologies they need.

What next?

Contact us now to arrange an informal meeting and don't be a statistic:

By email security@b-f.co.uk
OR visit our WEB site: www.b-f.co.uk