(In-)security surveyed

Sixty per cent of UK organisations have suffered an information security breach in the last two years according to the latest research carried out for the UK’s Department of Trade and Industry. Of the groups that regard their business information as critical or sensitive (70 per cent of a representative sample of 1000 UK organisations which took part in the Information Security Breaches Survey 2000), 43 per cent admitted that they had experienced an “extremely serious” or “very serious” breach and a further 20 per cent had suffered a “moderately serious” incursion in the last two years. One in three businesses also said that they were already trading over the Internet or planned to do so in the near future. Almost three quarters of organisations that suffered a breach which they classed as serious had no contingency plan in place to handle it and more than half of those that had experienced what they classed as their most serious integrity violation did not believe that they could have done anything to prevent it. This pessimistic reading of the ability to thwart security threats has to be viewed against the revelation that only 37 per cent of those in the sample had carried out systematic risk assessment and that only one in seven organisations had implemented a formal information management policy. The study also highlighted internal weaknesses; 40 per cent of those that reported a security breach blamed operator or user error rather than technical failings.