Firms fail to act on web attacks

UK companies are not learning from their mistakes when it comes to security in ebusiness.

Research by the Department of Trade and Industry found that 60 per cent of 1,000 UK firms contacted had suffered a serious security breach in the previous two years - and that in two out of three cases "nothing has changed" since the incident occurred.

Its research also revealed that four out of every five businesses do not use any firewall protection, and 59 per cent of companies that have a website do not have specialist protection.

Respondents estimate that security breaches cost them between £20,000 and £100,000 per breach. Human error accounted for 40 per cent of the incidents cited.

Researcher KPMG interviewed 179 managers responsible for information security in companies with a turnover of more than £10 million. A third of companies had no automatic system for reporting hacking attacks, a quarter had never tested the security of their Internet connection, and more than a third had no recovery plan in case that connection broke down.

Although viruses cause the greatest number of incidents, they rate lowly as a material security concern. They were mentioned by only seven per cent of respondents, who are more concerned with security gaps caused by ecommerce developments (mentioned by 55 per cent).

Even though 78 per cent said the main obstacle to ecommerce adoption is security, KPMG said ecommerce is the area where security is most lax.

"IT departments often don't understand what information is important and what should be protected. IT people are dealing with security, but business should set the framework," said Robert Coles, head of information security at KPMG.

"It's very difficult to present a business case for security because it is difficult to calculate the risks of the internet," he added.

According to KPMG, companies are getting better at managing the traditional risks, such as changing passwords, creating disaster recovery plans and making security audits of third parties, such as outsourcers.

Companies should look at providing security as a way of driving new business rather than as an inhibitor, according to Jonathan Care, head of security practice at Cap Gemini.

"Companies have focused on adding functionality rather than adding security and reliability," he said.