UK government security survey - situation improving?

The BERR 2008 Information Security Breaches Survey, conducted on behalf of the Department for Business, Enterprise and Regulatory Reform (BERR, previously the DTI) by Price Waterhouse Coopers , was published yesterday at the Infosecurity Europe expo in London. The overall picture is moderately confidence-inspiring. Figures for incidents are down, better controls seem to be in place, and security awareness, or at least recognition of the need for security, at board level seems to be improving. However, there are still some serious shortcomings in security management.

Large enterprises fare better than their more numerous medium-sized counterparts. The report states that although "at a large professional services firm, the IT director sits on the main board…", "Senior management at a medium-sized financial services provider … do not have a good understanding of security issues." Across all respondents, 34 per cent consider security a high priority, and 47 per cent a very high priority, for the board. Forty per cent believe top management or board members understand security risks well, and 39 per cent very well. However, only 33 per cent are very confident that they have trapped all significant breaches during the survey year. Fifty-five per cent are "quite confident" they have, which of course expresses considerable uncertainty.

Overall, only 55 per cent of respondents have a documented security policy and a mere 40 per cent offer security awareness training, the remainder overwhelmingly relying on contractual obligation rather than information and guidance. One very disturbing finding was that no more than 21 per cent of all respondents (46 per cent of large corporates) employ security officers who are "aware of the contents" of BS 7799, ISO 27001 and ISO 17799. As these are baseline standards, the question arises how any practicing security professional can be unaware of their content.

Use of basic data security controls is better; 85 per cent of all business now back up their data, 82 per cent on a daily basis. Seventy-two per cent have disaster recover plans (DRP), but 35 per cent have never tested their DRP. Ninety-five per cent now use automated malware scanning on incoming data, but only 77 per cent scan outgoing data. Eighty-two per cent install anti-virus updates within the day, but only 49 per cent install system patches on a shorter than monthly cycle, despite the declining effectiveness of conventional anti-malware tools as a front-line defence in the face of automated fast turn-round and zero-day attacks. Fifty-four per cent have no intrusion detection system (IDS) in place. Finally, 76 per cent of all businesses and 46 per cent of large corporates still rely solely on user IDs and passwords for authentication.

Corporate web sites remain a weak link. Fifty-nine per cent of all respondents and 27 per cent of large corporates rely on external hosting and do not know the security controls of their hosting providers. The picture is marginally better than in 2006, when the figure was 64 per cent across the board. Over 80 per cent – presumably of those who self-host – use firewalls or IDS to protect their web site, but 10 per cent do not encrypt payment transactions with their customers.

Attacks are common but not universal. 45 per cent of respondents reported some kind of security incident, 35 per cent declaring a malicious incident. The figures for large corporates were substantially greater, at 72 per cent and 68 per cent respectively. The median for those that had at least one incident was six incidents across the board and 15 for large corporates. However, the majority (62 per cent overall and 57 per cent for large corporates) of incidents were declared as internal in origin. The type of the "worst security incident" showed no significant bias for large corporates, although system failure dominated slightly for the overall figure, suggesting that smaller businesses are less effective at systems maintenance. Probably the most worrying finding on attacks is that 73 per cent (68 for large corporates) did not know the cause of their worst virus infection – up from 62 per cent across the board in 2006. Nevertheless, 50 per cent found staff misuse to be the most disruptive influence – followed by system failure (21 per cent). Ninety per cent of all incident types could result in up to 10 man-days response, quoted as costing up to £2,000, but that figure seems somewhat optimistic. Eighty-eight per cent stated that they incurred no direct losses as a result of their worst incident of the year.

Overall, a picture emerges of considerable and growing confidence that may not be entirely grounded in fact. So although the overall position appears somewhat better than in 2006, a distinct gap can be seen between assumptions of security by business management and the provisioning and monitoring of what is really happening at the coal face. Basics, such as ensuring the competence of security staff, controlling internal systems misuse, testing DRP and securing web transactions should no longer be issues.

See also from InfoSec: