A third of companies are not reviewing IT security policies

Security is not enough of a priority

Almost a third (30 per cent) of companies have neither measured nor reviewed the effectiveness of their information security policies over the past year, according to a survey by PricewaterhouseCoopers (PwC).

And less than one in three said they were very confident that their information security was effective while even fewer, less than one in four, felt very confident about the effectiveness of their suppliers’ or business partners’ security.

"There appears to be an overall misalignment with executive management’s view of security, causing many organisations to fail to capture the full value from their spending in this area," said William Beer, director in the information security group of PwC.

"Information has become the new currency of business. Its availability, integrity and confidentiality are crucial components of a collaborative business.”

And firms have still not cottoned on to the fact that security is about people as much as technology, a key finding of a PwC report for the government earlier in the year.

According to the survey, employees and former staff were together responsible for 41 per cent of incidents.

“One of the best ways of improving security across a business is to match technology investments with a commitment to other key drivers - the critical business and security processes that support technology and the people that administer and use them," said Beer.

The consequences of UK incidents were financial losses (40 per cent), fraud (28 per cent) intellectual property theft and brand/reputation compromised (both 25 per cent). Some 13 per cent of the incidents cost UK companies between $100,000 and $500,000 (£57,000 to £287,000) each.

Evaluating the security of third party providers was seen as the most important factor to keep in mind for the future.

The survey polled 7,000 information technology executives from 119 countries.