Reading the Information Security Breaches Survey

PwC recently published the “Information Security Breaches Survey 2006” report, sponsored by the Department of Trade and Industry (DTI) in the UK. The 8th such survey is aimed at raising awareness among UK businesses of the risks they face in the internet age. Below are some highlights from my quick read through it, and some thoughts.

Identity Management:

  • Staff misuse of information systems is the single largest source of incidents for large businesses. Overall though, the conventional picture that most security breaches are internal does not hold true. Internal breaches do, expectedly, prove to be far more costly.
  • Especially interesting to me was the reports assessment that only 1% of UK companies have a comprehensive approach to Identity Management, with an overwhelming majority saying that there is no need to improve it. In an environment that is increasingly connected, mobile and open, and where practices like outsourcing and offshoring are becoming more commonplace, that is a serious problem of perspective. This indicates that we need to do a better job of making businesses aware of the risks they face and options they have.
  • Surprisingly, most businesses still don’t see the need for strong authentication. Businesses that have deployed strong auth have done so only for specific applications, instead of deploying enterprise wide.
  • User ID and Password proliferation is rampant in large businesses. As a result, the security models are weaker, and the business more exposed. Only 1 in 4 businesses has deployed SSO.
  • The use of physical security measures is still weak, and usually limited to security of the premises. Rarely is the physical security system tied in to any kind of identity management system.
  • Regular auditing of processes and access is increasing, especially in companies following an offshore model; even more so in businesses subject to Sarbanes-Oxley compliance.
  • Electronic access requests not backed by automated user provisioning are more likely to experience unauthorised access.
  • There is a growing awareness that I&AM is not just about technology, but also about how security is woven into the way we do business.

Other tidbits:

  • The report states that the increased investment in security has dampened the growth in the number of security incidents. However the total cost of security incidents has gone up, with smaller businesses especially hard hit. Smaller businesses are reporting more incidents, while larger ones are reporting less.
  • Many businesses have not achieved a security-aware culture, with security projects not prioritized high enough or focused on key risk areas.
  • The report states that “there is a correlation between security expenditure and those firms that perform risk assessments.” Any firm that does a risk assessment ends up spending  a bigger chunk of their IT budget on security than those who don’t. Obviously firms are under-estimating their security needs and the types of threats that they are vulnerable to.

The survey makes for an interesting read, and provides good statistical numbers to back up its assessments. It is available on the web at: DTI Information Security Breaches Survey 2006. As always, feel free to share your thoughts with me.