U.K. firms suffer from the enemy within

Staff misuse of the internet is the second largest cause of reported security incidents for large U.K. companies.

According to the latest preliminary results published today from the 2006 Department of Trade and Industry's biennial Information Security Breaches Survey, 90 percent of all British companies said protecting their reputation was one of the most important drivers for information security.

The study cited the accessing of inappropriate websites and excessive web surfing as major security threats.

Conducted by a consortium led by PricewaterhouseCoopers LLP, the report warned that some 88 percent of business internet connections are now broadband, increasing the risk of damage to reputation through staff misuse of web or email. In recognition of this, 63 percent of all companies and 89 percent of large firms have an acceptable usage policy. This is more than have an overall information security policy.

After the sharp rises in staff misuse levels seen two years ago, the number of companies affected has now stabilized, reflecting the impact of the improved levels of control. One in five companies overall was affected. Two-thirds of large businesses had at least one misuse incident in the last year. Some small companies reported hundreds of email abuses every day.

Chris Potter, the partner from PricewaterhouseCoopers LLP leading the survey, said: "As companies implement better controls around email and web usage, they tend to detect misuse already happening. Where those businesses have an acceptable usage policy in place, they are nearly three times as likely to detect misuse as those that don't. It is very hard to police this area if you haven't agreed what an acceptable usage policy is.

"An increasing number of companies are using email to communicate with customers and business partners. Given how important reputation is to businesses, it is surprising that five-sixths do not scan outgoing email for inappropriate content. Companies that scan their outgoing emails are much more likely to detect any misuse, but the worry is that the others may be letting inappropriate content slip through, to the potential detriment of their reputation," he added.

However, the research found that there are many U.K. businesses that are not taking the risks seriously. Three-fifths admitted not blocking access to inappropriate websites. Only one in six scans outgoing email for inappropriate content.

The telephone survey of 1,000 companies found that 41 percent of the worst incidents involved staff accessing inappropriate websites and a further 36 percent of worst incidents related to excessive web surfing. The most serious of such incidents involved access to illegal material; several companies reported incidents of staff accessing child pornography.

The average cost of individual incidents of misuse was relatively low compared with other types of security breach, with less than 10 percent causing business disruption or direct cash costs.

The study also reported a sharp increase in the proportion of U.K. businesses filtering incoming email for unsolicited messages Two thirds of the businesses that do not scan incoming emails for viruses do filter for spam and block suspicious attachments.

These findings are published in a factsheet, "E-mail and web usage," sponsored by security software specialist, Clearswift. The full results of the survey will be launched at Infosecurity Europe in London, April 25 to 27.

Ian Bowles, senior vice president of global operations for Clearswift, said: "These findings back our belief that prevention is indeed better than cure when you're talking about managing email traffic. The problem with giving employees easy access to email and the web is that the potential for damage is immense. Despite an increased awareness of the issue, employees are still the weakest link in the security chain."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.