IT security breaches cost U.K. businesses billions of pounds last year, with 44 percent of U.K. companies reporting at least one "malicious" security breach in the past year, according to a study published Tuesday by the U.K. Department of Trade and Industry (DTI).
The number of IT security breaches has more than doubled since the 2000 survey, the government agency said in a statement. The figures are according to the executive summary of the "Information Security Breaches Survey 2002," which was carried out by PricewaterhouseCoopers LLP on behalf of DTI, based in London. The study, which is conducted every two years, can be found online at https://www.security-survey.gov.uk/.
The full report, the "Information Security Breaches Survey Technical Report," will be published by the government on April 23.
A serious security breach cost a U.K. business an average of £30,000 (US$43,000), with some security breaches costing several companies more than £500,000, the DTI said.
Even though 73 percent of companies polled said they believe information security is a high priority for senior management -- up from 53 percent in 2000 -- 56 percent also indicated that they are not covered against such breaches by insurance, or do not know if they even have proper insurance, the DTI said.
The DTI estimates that a company should spend between 3 percent to 5 percent of its total IT budget on IT security, with high-risk sectors, such as the banking industry, spending 10 percent of the IT budget for that protection.
Only 27 percent of respondents spend more than 1 percent of IT budgets on information security, mainly because security is being regarded by U.K. companies as a cost overhead rather than an important investment, the DTI said.
When it comes to evaluating the return on investment of IT security, 30 percent of U.K. companies have performed such an exercise, while only 27 percent of U.K. businesses have a firm security policy in place at all, the study found.
Large businesses are much more likely than smaller enterprises to have security plans, with 75 percent of large businesses having procedures for logging and responding to security incidents, while 73 percent of large businesses have contingency plans in place for dealing with possible security breaches, the DTI. The figures among small businesses are 41 percent and 47 percent, respectively, the DTI said.
U.K. companies also have a marked lack of knowledge when it comes to government regulations concerning IT information security, the study said. Forty-nine percent of study respondents have documented procedures to ensure compliance with the Data Protection Act 1998 and only 24 percent have procedures to ensure that they are protecting their staff's rights as outlined by the Human Rights Act, the DTI said.
A draft Code of Practice on data protection from the U.K. Information Commission leaked to the Financial Times (FT) newspaper's Web site last week, stated that British employers may not be allowed to monitor their employees' private e-mail or Internet use at work in the future or use hidden cameras without staff knowledge unless a criminal investigation is under way. But if companies were simply unaware of such a policy, employees could face increased risk of breaches of their privacy in the workplace.
The DTI report called on U.K. business to take action on making "sound commercial decisions" concerning IT security investments. Companies need to develop comprehensive IT security policies and then need to educate staff as to what those polices are, how to carry them out and what is expected of each staff member in terms of protecting the information of a company, the DTI said.
U.K. companies also need to seriously explore insurance options, the study said. Currently, only 8 percent of U.K. companies have specific IT insurance coverage, though the study found that the adoption of such policies is rapidly increasing, the DTI said.