Staff misusing the internet by accessing inappropriate websites or engaging in excessive web-surfing remains the second largest cause of reported security incidents after viruses for large UK companies.
That is according to the 2006 Department of Trade and Industry’s biennial Information Security Breaches Survey, conducted by a consortium led by PricewaterhouseCoopers LLP. The full results of the survey will be launched at Infosecurity Europe in London, from April 25 to 27.
Some 90pc of all companies said protecting their reputation was one of the most important drivers for information security. Some 88pc of business Internet connections are now broadband, increasing the risk of damage to reputation through staff misuse of web or email. In recognition of this, one and a half times as many companies have an acceptable policy for Internet usage as two years ago: 63pc of all companies and 89pc of large ones have an acceptable usage policy. This is more than have an overall information security policy.
After the sharp rises in staff misuse levels seen two years ago, the number of companies affected has now stabilised, reflecting the impact of the improved levels of control. One in five companies overall was affected. Two-thirds of large businesses had at least one misuse incident in the last year. Some small companies reported hundreds of email abuses every day.
However, there are many UK businesses that are not taking the risks seriously. Three-fifths do not block access to inappropriate websites. Only one in six scans outgoing email for inappropriate content.
Findings from the telephone survey of 1,000 companies include:
Some 97 per cent of companies now have an Internet connection and 88pc of these are broadband; in the 2004 survey Internet usage was at 93pc but most small business connections were dial-up.
17pc of UK businesses suffered staff misuse of web access and 11pc had misuse of email. Larger companies are more likely to have incidents involving staff misuse – 52pc had web misuse and 43pc had email misuse.
41pc of the worst incidents involved staff accessing inappropriate websites and a further 36pc of worst incidents related to excessive web surfing. The most serious of such incidents involved access to illegal material; several companies reported incidents of staff accessing child pornography.
The average cost of individual incidents of misuse was relatively low compared with other types of security breach, with less than 10% causing business disruption or direct cash costs.
Technology, telecommunications and utility companies were most likely to report incidents; retail and travel were the least likely.
There has been a big increase in the proportion of UK businesses that filter incoming email for unsolicited messages (spam); two thirds of the businesses that do not scan incoming emails for viruses do filter for spam and block suspicious attachments.
Protecting confidential information sent by email is still rare – in only a quarter of UK businesses can staff send encrypted email to the company’s business partners.
Roughly one in five UK companies allows staff to download free auto-address software onto their PCs despite the fact that such software often stores confidential information such as email addresses on a third party’s servers.
These findings are published in a factsheet – ‘E-mail and web usage’ – sponsored by security software specialist, Clearswift.
What they say
Chris Potter, the partner from PricewaterhouseCoopers LLP leading the survey, said: "As companies implement better controls around email and web usage, they tend to detect misuse already happening. Where those businesses have an acceptable usage policy in place, they are nearly three times as likely to detect misuse as those that don’t. It is very hard to police this area if you haven’t agreed what an acceptable usage policy is.
"An increasing number of companies are using email to communicate with customers and business partners. Given how important reputation is to businesses, it is surprising that five-sixths do not scan outgoing email for inappropriate content. Companies that scan their outgoing emails are much more likely to detect any misuse, but the worry is that the others may be letting inappropriate content slip through, to the potential detriment of their reputation."
Ian Bowles, senior vice president, global operations, Clearswift said: "These findings back our belief that prevention is indeed better than cure when you’re talking about managing email traffic. The problem with giving employees easy access to email and the web is that the potential for damage is immense. Despite an increased awareness of the issue, employees are still the weakest link in the security chain."
About the survey
The 2006 DTI Information Security Breaches Survey is the most authoritative survey about this issue in the UK, the DTI claims. It is part of the Department of Trade and Industry’s work with British industry to understand the impact of information security breaches. It aims to raise awareness among UK companies and public sector organisations of the value of effective information security management.
The survey was conducted between October 2005 and January 2006 and is based on 1,000 telephone interviews with organisations of all sizes across the UK, plus a series of face to face interviews with information security officers to supplement the telephone interviews.
A consortium led by PricewaterhouseCoopers LLP is managing the 2006 survey. Other sponsors are Microsoft, Symantec, Entrust and Clearswift. Input has also come from the National Hi-Tech Crime Unit, Royal Holloway, University of London and the Information Security Forum.
The full results of the ninth, biennial survey will be published at the Infosecurity Europe exhibition and conference in London, 25-27 April.
The factsheet ‘Email and web usage’ can be downloaded from www.security-survey.gov.uk or in the publications section of www.dti.gov.uk/industries/information_security
