One in five of the UK’s larger companies suffered security breaches of their information systems in the last year because of weaknesses in their approach to identity management, a new survey shows.
This is one of the key, initial findings from the 2004 Department of Trade and Industry’s biennial Information Security Breaches Survey, conducted by a consortium led by PricewaterhouseCoopers. The full results of the Survey will be launched at InfoSecurity Europe in London, April 27-29. Other key findings from the telephone survey of some 1,000 companies include:
<br><br>
About one in ten large companies had a significant fraud or breach in confidentiality. More than half of all companies affected said it was their worst incident of the year, even outweighing virus infections; confidentiality breaches caused significant business disruption (for more than a month in 15pc of the cases) and took significant staff time to investigate, on average 10-20 man-days. These breaches also incurred the biggest direct cash cost of any security incident – more than œ100,000 in legal fees, investigation costs and fines in 15pc of cases; companies’ access controls are failing to prevent these incidents. The first root cause is that often the sheer number of users and systems puts user administration processes under strain. To counter this, companies are increasingly automating their processes for granting access to systems. Some 16pc of all companies and 31pc of large ones do this. Automating user provisioning appears to work. None of the respondents that had done this had suffered financial frauds or systems penetration from outside in the last year; the second root cause is over-reliance on passwords to check users’ identity. Some 87pc of all companies rely solely on user ID and password, while seven per cent have no controls at all. Businesses that adopt single sign-on without strong authentication had a higher than average incidence of unauthorised access. Tokens, smart cards and biometrics are only used in six pc of companies. This rises to roughly a quarter of the large businesses. The latter seem to be reaping the benefit with just three pc suffering from an unauthorised access breach compared to 20pc for those that haven’t adopted these levels of authentication.
<br><br>
What they say
<br><br>
Chris Potter, the PricewaterhouseCoopers partner leading the survey, said: ‘Companies have traditionally been poor at setting up new users and deleting leavers from their systems. We are increasingly seeing businesses automate these processes. While most businesses over-rely on passwords, large organisations are also starting to adopt strong authentication methods such as smart cards and tokens to check users’ identity. A comprehensive approach to identity management includes strong authentication, access control and provisioning. The results of this survey clearly demonstrate the benefits early adopters have gained in terms of reduced security incidents." Philip Richardson, vice president, Northern Europe, Middle East and Africa, Entrust, added: ‘It is amazing that one in five businesses experienced a security breach in the past year as a result of weaknesses in their approach to identity management when the technology needed to reduce this risk is now so readily available. However, the message seems to be resonating with senior executives and Board-level directors. Decision-makers are not only becoming more aware of the potential disruption and damage that security breaches can cause to business, but also that there are new information security governance concerns presented by the changing regulatory landscape.’
<br><br>
About the Survey
<br><br>
The 2004 DTI Information Security Breaches Survey is part of the Department of Trade and Industry’s work with British industry to understand the impact of information security breaches. It aims to raise awareness among UK companies and public sector organisations of the value of effective information security management. The survey was be conducted between October 2003 and January 2004 and is based on 1,000 telephone interviews with organisations of all sizes across all areas of the UK, plus a series of face to face interviews. A consortium led by PricewaterhouseCoopers is managing the 2004 survey. Other lead sponsors are Microsoft, Computer Associates and Entrust. Input has also come from the National Hi-tech Crime Unit, Royal Holloway, University of London, and the Information Assurance Advisory Council. Full results of the seventh, biennial survey will be published at the InfoSecurity Europe exhibition and conference in London April 27-29. The factsheet ‘Viruses and malicious code’ can be downloaded from site.
