Hacking incidents are increasing, data is not encrypted and viruses are down. These are some key findings from the bi-annual 2008 Information Security Breaches Survey.
The government sponsored survey revealed some 96 per cent of large UK businesses have experienced a a security breach.
Some 13 per cent of large companies, with more than 500 employees, have detected unauthorised outsiders within their network, found the study by the Department for Business, Enterprise and Regulatory Reform published today (22 April) at the Infosecurity Europe show in London.
The 2008 Information Security Breaches Survey (ISBS) of UK businesses, carried out every two years by PricewaterhouseCoopers, found unauthorised access by hackers is currently four times the level seen in 2000.
Despite improvements in security practices, many companies remain exposed to loss of confidential data. While 71 per cent have procedures to comply with the Data Protection Act, only eight per cent encrypt laptop hard drives.
The survey found 78 per cent of companies that had computers stolen had not encrypted their hard drives, around 67 per cent of companies do nothing to prevent confidential data leaving on USB sticks, and 10 per cent of websites that accept payment details do not encrypt them.
Chris Potter, partner, PricewaterhouseCoopers said: "There are still come fundamental contradictions. Some 79 per cent of businesses believe they have a clear understanding of the security risks they face, but only 48 per cent formally assess those risks.
Also, 88 per cent are confident that they have caught all significant security breaches, but only 56 per cent have procedures to log and respond to incidents. 81 per cent believe security is a high priority to their board, but only 55 per cent have a security policy."
The financial impact of IT security breaches has dropped in two years, costing UK businesses in total around £6 billion. This is compared with £10bn in 2006. A significant decline in reported virus infections - down by 60 per cent compared with two years ago - has been credited with the overall drop in costs.
But the average cost of each incident has increased. The cost for the company increases relative to the size of the company. For small companies of less than 50 employees, the average cost is between £10,000 and £20,000. But for large companies, the average cost of a security incident is between £1 million and £2 million.
Amongst other findings, although 92 per cent of companies surveyed believe that disaster recovery is "an important driver" of their IT spending, over half have no plan or an untested plan. More than a quarter of UK companies do not have a disaster recovery plan, and half of the plans that do exist have not been tested.