A new report published today reveals 32% of UK organisations found critical vulnerabilities that are widely known and actively exploited by hackers in their IT systems, compared to 61% in 2006.

The 2007 Annual Security Report published by IT security testing and consultancy provider, NTA Monitor says this decrease in threats shows UK companies have successfully redoubled their security efforts.

The report analysed data gathered from vulnerability tests conducted by NTA on UK companies in a wide range of industry sectors, including charities, education, finance, government, IT, law and retail.

But, despite the number of tests exposing vulnerabilities that may enable external users to gain unauthorised system access or disrupt service availability has almost halved, the picture is not as bright for publishing and finance. Compared to other industries, these have seen an increase in the average number of vulnerabilities found per test. For financial institutions, the average number of risks increased by 16% year on year, whilst publishing saw an increase of 28%.

Roy Hills, NTA Monitor technical director said: “There are a variety of ways of causing denial of service (DoS) attacks, one of which occurs when a server is bombarded with more information than it can handle, resulting in legitimate users being unable to access or use the network. Other security flaws that our testing discovered could permit hackers to gain entry to corporate networks and change users’ passwords or delete files, which could wreak corporate havoc.”

Of the 10 most commonly occurring critical vulnerabilities, seven were found in last year’s report, indicating that these same issues continue to take their toll. All of the top 10 high risk flaws are associated with services that are being made available to internet users, which the report said demonstrates that, with increased functionality, comes the threat of reduced security.

NTA Monitor recommends that companies apply the following recommendations to raise awareness and minimise their exposure to IT security risks:

  • Stay up to date on the latest vulnerabilities and apply patches and updates as soon as they become available
  • Allocate sufficient management time, focus and control to ensure that preventative actions are carried out on an ongoing basis
  • Involve and educate staff on internet security issues
  • Have a clear and up to date security policy that is publicised and updated regularly