Security Controls Improve, But Private Data Is Still at Risk

In New Developments, internal auditors will find information about the most recent IT and audit research reports and survey results; new IT, security, and privacy legislation; and other news items of importance to auditors.

Security Controls Improve, But Private Data Is Still at Risk

Thirteen percent of large businesses have detected intruders, according to the 2008 Information Security Breaches Survey (PDF, 1.1 MB), conducted by PricewaterhouseCoopers (PwC) LLP on behalf of the European Department for Business, Enterprise, and Regulatory Reform (BERR). Although not a large percentage by itself, this number represents a tenfold increase in intruder attacks during the last two years. The survey of 1,007 information security (IS) professionals in the United Kingdom also found dramatic changes in the security landscape over the last six years, when the first survey was conducted.

For example, this year's survey found that 55 percent of participating companies have a documented security policy compared to 27 percent of those surveyed in 2002. In addition, 40 percent of companies now provide ongoing security awareness training to staff, a 20-point increase since 2002, while 14 percent use strong, multifactor authentication, compared to 5 percent six years ago. "Companies increasingly realize that their people, while their greatest asset, can be their greatest vulnerability and so need to be educated on security risks," the report states. "Businesses are investing more in their security, especially those that think hardest about where to spend their money." Increases in investment have translated into improvements in security controls, particularly in the areas of antivirus protection and backup activities. More specifically:

  • 99 percent of companies back up critical systems and data.
  • 98 percent have spyware scanning software.
  • 97 percent filter incoming e-mail for spam and protect their Web sites with a firewall.
  • 95 percent scan incoming e-mail for viruses.
  • 94 percent encrypt wireless network transmissions.

Furthermore, this higher investment in controls had lead to fewer reported incidents and to a decline in reported virus infections. For instance, companies that perform a risk assessment are four times as likely to detect identity theft as those that do not, and virus infections have dropped from the largest cause of security incidents to fourth place out five. Despite these positive findings, the survey found confidential information is increasingly at risk, especially in large organizations, and many companies are not doing enough to protect themselves and their customers' information. Nearly 70 percent of surveyed companies do nothing to prevent confidential data leaving company premises on flash drives, 78 percent of companies that had computers stolen did not encrypt hard discs, and 84 percent of companies do not scan outgoing e-mail for confidential data.

To prevent IS incidents from occurring, the survey recommends that organizations understand the security threats they face by drawing on the right knowledge sources and use risk assessments to target security investments at the most beneficial areas. Companies also should integrate security into normal business behavior, through clear policy and staff education, as well as deploy integrated technical controls and respond quickly and effectively to breaches by planning ahead for contingencies.

For more information about the survey or to download an executive summary, visit the PwC Web site.