Complacency is a serious security threat

Identity theft, phishing and new forms of hacking and virus creation are growth crimes. And the levels of sophisticated encryption available to a very wide range of fraudsters is already presenting huge challenges to crime detection agencies.

Business has responded to these fears by spending on software. Computing's annual Image Trak survey has shown that security is the number one spending priority for IT decision-makers year after year.

Despite the downturn, last year more than two-thirds of companies increased spending on security technology, according to Meta Group. It accounted for an average eight per cent of IT budgets - up from 7.6 per cent in 2002, and only three per cent in 2001.

There's nothing wrong with that, provided security isn't allowed to become simply an IT question. But, unfortunately, experts warn that attitudes and processes too often have not changed.

"We have this fortress mentality trying to keep others out. The truth is that 80 per cent of security incidents are from within the company," says Ross Patel, director of last week's BCS IT Security Conference.

The image of hackers, crackers and spammers as super-smart technical wizards blinds us to the fact that they represent the same kind of threat we face in every other area of business.

"The threats are pretty generic. There is nothing really new," says Patel. "Most of the threats relate to fraud, which is an old crime. Technology just enbles a new way to commit it."

What's needed are clear security policies to lock out criminals and make contingency plans in case those policies fail.

Yet the Chartered Management Institute (CMI) warns that more than half of UK businesses do not have any kind of business continuity plan and "are displaying a dangerously cavalier attitude towards confronting disruption".

A CMI study, published in association with the Business Continuity Institute and Colt Telecom, warned that complacency remains a major issue, despite wake-up calls from incidents as diverse as flooding, power cuts, terrorism and rapidly spreading internet viruses.

The research even reveals that many of the 47 per cent of organisations that do have plans do not know if they would work in practice. Only 57 per cent tested their plans annually or more frequently.

One in 10 of those with a plan also admitted they have not made changes even when they discover shortcomings as a result of testing.

John Sharp, chief executive of the Business Continuity Institute, suggests that many businesses are simply "burying their heads in the sand".

"Business continuity management helps to prevent and prepare for disruption to normal business operations, and can save an organisation and its employees if disaster strikes," he says.

But some surveys suggest that those that do take action are getting results. The number of cybercrimes and hacker attacks, and the cost attributed to such intrusions, declined for the fourth straight year, according to data released this week by the Computer Security Institute (CSI).

"Our survey respondents appear to be getting real results from their focus on information security," said Chris Keating, CSI's director, in a statement.

In its ninth annual Computer Crime and Security Survey, the association noted that the downward trend, which started in 2001, resulted in the lowest percentage since 1999 of those polled who reported unauthorised use of their systems.

The figures remain very high. In the past 12 months, about 53 per cent of the nearly 500 IT and security managers surveyed said that their organisations had experienced an attack. But the 2004 survey said costs of security breaches also declined year on year.

For the first time, said the CSI poll, denial-of-service attacks took the top spot as the most expensive computer crime, accounting for about 18 per cent of the total cost of security invasions. The former top dog - intellectual property theft - fell to second place at eight per cent.

The denial-of-service attack figures come as no surprise, because several major security outbreaks over the last 12 months have involved worms that targeted specific firms, such as the SCO Group and Microsoft.

The MyDoom worm, for instance, hit both companies with denial-of-service attacks earlier this year.

'Not all organisations maintain the same defences, and hackers won't become complacent anytime soon, so we still have our work cut out for us,' says Keating.

'The message here is that it makes sense to continue focusing on adherence to sound practices, deployment of sophisticated technologies, and adequate staffing and training.'

The Business Continuity Institute

Computer Security Institute

The Chartered Management Institute