Digital Transformation » Systems & Software » IT security moves up the agenda

Concerns over corporate IT security have persisted for decades. And finance
directors, often in charge of risk management across an organisation, find
themselves with responsibility for ensuring the protection of business data and
control of IT processes is undertaken efficiently.

Thankfully, a survey by the DTI and PricewaterhouseCoopers into IT security
suggests that businesses are slowly but surely improving their controls. Fewer
companies had IT security breaches than two years ago, down to 62% from 74%.

During that time, budgets for IT security have also climbed, with the average
UK company now spending 4% to 5% of its IT budget on security, compared to 1% to
2% in the last survey.

IT security in the boardroom

The prioritisation of security has also improved, with 83% of respondents
from businesses in the UK claiming information security was a high priority for
management, compared to 73% in 2004 – a tip of the hat in the direction of the
FD. Other findings suggest the increasing influence of the FD when seeking IT

External auditors were used by 58% of large businesses for security guidance
compared to 36% overall, while another business advisory firm other than their
auditor was used by 24% of large businesses.

Other traditional trusted advisers to business, such as the external auditors
and IT service consultancies, were used 58% and 44% of the time respectively by
large businesses. Smaller companies followed the same advisory routes as their
larger counterparts, but less often.

Wireless risks

One of the biggest threats flagged up by businesses in the last survey
concerned protection of wireless networks, and much work has gone into dealing
with this issue over the past two years.

The last survey found that 53% of respondents had no protection for their
wireless networks. In 2006, just 5% of large businesses have no controls in
place, while one-fifth of smaller companies had not put any protection into

Solutions include the secure placement of access points, changing the name of
the network from its default setting and restricting connection to known
computers only.

Most websites used to interact financially with customers now encrypt the
flow of transactional information, yet 30% do not encrypt data transmissions,
which leaves private customer data exposed as it travels across the internet.

Internet in the workplace

More companies have an acceptable usage policy for the internet rather than
an overall information security policy. Those with a usage policy are three
times more likely to have reported staff misuse than those without.

Three-quarters of companies with a usage policy require staff to acknowledge
they have read it, an area that has grown in takeup particularly among smaller

Scanning incoming email and web downloads has become common, especially in
large companies. Four times as many businesses filter incoming email for
unsolicited messages (spam) as they did two years ago.

But there is still an issue of concern for risk managers. Only one in six UK
companies scan outgoing email for inappropriate content. Those that do are three
times as likely to detect incidents of staff misuse.

Disaster recovery

A number of natural disasters in the UK over the past ten years, plus the
aftermath of 9/11, led to increased sensitivity over disaster recovery plans.
And the past two years have seen businesses undertaking new levels of protection
against business downtime.

Backups of critical data are now undertaken by all businesses, yet a
proportion still does not store data offsite. Nine-tenths of large businesses
undertake offsite data storage, compared with 76% of smaller respondents. Only
32% of respondents undertook offsite data storage in the last survey.

There are still gaps in disaster recovery plans. Only 58% of large businesses
tested their disaster recovery setup last year.

One respondent, a subsidiary of a food and drink group, had a hardware fault
that rendered their core business and finance (ERP) system unavailable for three

New IT threats

But as businesses get a handle on some of the biggest threats to their IT
functions, including better management of virus security and more extensive
presentation of IT policy to staff, new problems arise.

While 100% of respondents had implemented anti-virus software, only 76% used
anti-spyware technology. The report highlights a large pharmaceutical company
that viewed spyware as its ‘biggest current challenge’.

The widely publicised threat of identity theft has apparently not affected
the psyches of those responsible for IT security within a business – only 1%
have a comprehensive approach for identity management, such as managing user
authentication, access control and user provisioning. More than three-quarters
of respondents said there was ‘no business requirement’ to improve in this area.

Three-fifths of companies that allow remote access to their systems do not
encrypt their transmissions; businesses that allow remote access are more likely
to have their networks penetrated.

A similar number do not block staff access to inappropriate websites and only
one-in-six scans outgoing email for inappropriate content.

Mark Hughes, EMEA managing director of messaging security business
Proofpoint, warned that communication channels such as instant messaging and
blogs had become big concerns for companies.

“Content security products can enforce policies related to confidential
information and block inappropriate use, and organisations need to decide which
documents and data are sensitive, then apply consistent policies around their
use,” says Hughes.