The overall cost to UK plc of reported security breaches has dropped by a third, due to a tripling of the average spend on IT security since 2002, according to the Information Security Breaches Survey 2008 carried out by a consortium led by PricewaterhouseCoopers on behalf of the UK Department for Business, Enterprise & Regulatory Reform.

The security landscape has improved markedly over the last six years, the survey reports, with:

• 98 per cent of companies now have software to scan for spyware.
• 55 per cent of UK companies have a documented security policy (2002: 27 per cent).
• 40 per cent of businesses provide ongoing security awareness training to staff (2002: 20 per cent).
• 14 per cent use strong (i.e. multi-factor) authentication, and 11 per cent have implemented the British/International Standard for information security management (BS 7799/ISO 27001), versus only 5 per cent in 2002.

Despite these gains, the survey shows that many companies continue to be vulnerable to loss of confidential data. Some 80 per cent of polled companies that have computers stolen, for instance, have not encrypted their hard drives and two-thirds of companies do not stop confidential data leaving the organisation on USB memory sticks.

However, according to Steve Browell, general manager, Security Division, at Bell Micro, the survey "fails to demonstrate a prioritisation of the threats to a business' security profile, driving knowledge that can deliver better decision making. The industry must identify a better framework to assess an organisation's security profile".

Image: The Information Security Breaches Survey 2008 shows that many companies continue to be vulnerable to loss of confidential data

What do you think about the issues raised in this news story? Share your views at the IT discussion forum.

More IT industry news from the IET