IT security moves up the agenda

Concerns over corporate IT security have persisted for decades. And finance directors, often in charge of risk management across an organisation, find themselves with responsibility for ensuring the protection of business data and control of IT processes is undertaken efficiently.

Thankfully, a survey by the DTI and PricewaterhouseCoopers into IT security suggests that businesses are slowly but surely improving their controls. Fewer companies had IT security breaches than two years ago, down to 62% from 74%.

During that time, budgets for IT security have also climbed, with the average UK company now spending 4% to 5% of its IT budget on security, compared to 1% to 2% in the last survey.

IT security in the boardroom

The prioritisation of security has also improved, with 83% of respondents from businesses in the UK claiming information security was a high priority for management, compared to 73% in 2004 – a tip of the hat in the direction of the FD. Other findings suggest the increasing influence of the FD when seeking IT advice.

External auditors were used by 58% of large businesses for security guidance compared to 36% overall, while another business advisory firm other than their auditor was used by 24% of large businesses.

Other traditional trusted advisers to business, such as the external auditors and IT service consultancies, were used 58% and 44% of the time respectively by large businesses. Smaller companies followed the same advisory routes as their larger counterparts, but less often.

Wireless risks

One of the biggest threats flagged up by businesses in the last survey concerned protection of wireless networks, and much work has gone into dealing with this issue over the past two years.

The last survey found that 53% of respondents had no protection for their wireless networks. In 2006, just 5% of large businesses have no controls in place, while one-fifth of smaller companies had not put any protection into place.

Solutions include the secure placement of access points, changing the name of the network from its default setting and restricting connection to known computers only.

Most websites used to interact financially with customers now encrypt the flow of transactional information, yet 30% do not encrypt data transmissions, which leaves private customer data exposed as it travels across the internet.

Internet in the workplace

More companies have an acceptable usage policy for the internet rather than an overall information security policy. Those with a usage policy are three times more likely to have reported staff misuse than those without.

Three-quarters of companies with a usage policy require staff to acknowledge they have read it, an area that has grown in takeup particularly among smaller businesses.

Scanning incoming email and web downloads has become common, especially in large companies. Four times as many businesses filter incoming email for unsolicited messages (spam) as they did two years ago.

But there is still an issue of concern for risk managers. Only one in six UK companies scan outgoing email for inappropriate content. Those that do are three times as likely to detect incidents of staff misuse.

Disaster recovery

A number of natural disasters in the UK over the past ten years, plus the aftermath of 9/11, led to increased sensitivity over disaster recovery plans. And the past two years have seen businesses undertaking new levels of protection against business downtime.

Backups of critical data are now undertaken by all businesses, yet a proportion still does not store data offsite. Nine-tenths of large businesses undertake offsite data storage, compared with 76% of smaller respondents. Only 32% of respondents undertook offsite data storage in the last survey.

There are still gaps in disaster recovery plans. Only 58% of large businesses tested their disaster recovery setup last year.

One respondent, a subsidiary of a food and drink group, had a hardware fault that rendered their core business and finance (ERP) system unavailable for three days.

New IT threats

But as businesses get a handle on some of the biggest threats to their IT functions, including better management of virus security and more extensive presentation of IT policy to staff, new problems arise.

While 100% of respondents had implemented anti-virus software, only 76% used anti-spyware technology. The report highlights a large pharmaceutical company that viewed spyware as its ‘biggest current challenge’.

The widely publicised threat of identity theft has apparently not affected the psyches of those responsible for IT security within a business – only 1% have a comprehensive approach for identity management, such as managing user authentication, access control and user provisioning. More than three-quarters of respondents said there was ‘no business requirement’ to improve in this area.

Three-fifths of companies that allow remote access to their systems do not encrypt their transmissions; businesses that allow remote access are more likely to have their networks penetrated.

A similar number do not block staff access to inappropriate websites and only one-in-six scans outgoing email for inappropriate content.

Mark Hughes, EMEA managing director of messaging security business Proofpoint, warned that communication channels such as instant messaging and blogs had become big concerns for companies.

“Content security products can enforce policies related to confidential information and block inappropriate use, and organisations need to decide which documents and data are sensitive, then apply consistent policies around their use,” says Hughes.