The study, conducted by a consortium led by PricewaterhouseCoopers, found that British companies are spending more on information security controls than ever: on average four to five percent of their IT budgets, up from three percent in 2004 and two percent in 2002.
The increased expenditure is leading to better adoption of security controls for example, three times as many companies have a security policy as did six years ago, and 98 percent of businesses have anti-virus software in place.
This investment appears to be paying off, the report stated, as fewer companies had security incidents than in 2004 when the survey was last undertaken. Overall, 62 percent of businesses have had a security incident in the past year, down from 74 percent two years ago. Large businesses continue to be more security conscious and they have reaped rewards as the total cost to them of security incidents has fallen by 50 percent over the last two years.
However, the burden of security incidents is falling on small businesses where security controls tend to be less developed. The average number of incidents has risen by 50 percent to roughly eight a year. The average cost (principally business disruption cost rather than cash losses) of a U.K. company's worst security incident was approximately £12,000 - up from £10,000 two years ago. Overall, an indicative estimate of the total cost of security breaches is up by 50 percent from two years ago, and is around £10 billion per annum.
Greater use of emerging technologies is found to be changing the nature of the security threat U.K. businesses face. Companies are slow to adopt controls to reduce this threat. A quarter of U.K. businesses are not protected against spyware.
Although more wireless networks are protected than two years ago, one in five is still completely unprotected and a further one in five is unencrypted. Fifty five percent of firms have not taken any steps to protect themselves against the threat posed by removable media devices. Two-fifths of companies that allow staff to use instant messaging have no controls in place over its use. Of the companies that have implemented voice over internet protocol (VOIP) telephony, half did so without evaluating the security risks.
Chris Potter, a partner from PricewaterhouseCoopers LLP leading the survey, said: "Overall, U.K. businesses are more aware than ever of the risks they face from information security breaches, in an environment where threats are on the increase, but some still seem to believe they are immune to the dangers and don't have even basic security controls in place."
Alun Michael, minister for Industry and the Regions, added: "We commission this survey every two years because knowledge is a vital weapon against the growing scale and sophistication of the threats to security.
"The number of companies affected has dropped slightly since the last survey, but there is no room for complacency. The cost of the damage caused by the attacks on security has risen as the nature of the attacks has become more serious. That's why it's crucial to have good security in place, which also respects the way that ICT is used within the business so that security is not an inhibitor to effective working."