Companies leaking confidential information

One in five large companies are failing to stop vital company information leaking to the outside world though through their IT systems, it was revealed this week.

The findings of the latest Department of Trade and Industry (DTI) 'Information Security Breaches Survey' showed how weak access control systems were causing companies to lose vital and confidential information.

The study, carried out by a consortium led by consultants PricewaterhouseCoopers, showed that around one in ten large firms had a "significant" fraud or breach in confidentiality last year. More than half of all companies affected said it was their worst incident of the year, outweighing virus infections.

Chris Potter, the PricewaterhouseCoopers partner leading the survey, told The NetRisk that businesses were affected by two main types of confidentiality breach - internal and external.

External breaches, which he said accounted for around two-thirds of breaches, involved hackers, organised criminals or business competitors breaking into IT systems and stealing information. The remaining third involved employees stealing or leaking confidential records to others.

New 'gadgets'
Chris Potter told us that large firms were four times more likely than small businesses to suffer confidentiality breaches. Overall, most incidents were isolated, however large companies were ten times more likely to suffer multiple breaches, he added.

Also, technology companies were three times more likely to suffer a breach, whereas agricultural firms for example reported no IT security breaches at all. Chris Potter said that as well as holding more valuable information, technology firms also tended to be "early adopters" of new technologies - such as wireless networks and handheld computers - which tended to be more vulnerable.

He added that while some technology firms were keen to use new "gadgets" to help with operational efficiency, many neglected to make use of new techniques to improve security.

The survey revealed that there remained an "over-reliance" on passwords to check users' identity. Some 87% of all companies relied solely on user ID and password, while 7% had no controls at all!

Businesses with "single sign-on" without strong authentication had a higher than average incidence of unauthorised access. Access control systems such as tokens, smart cards and biometrics were only used in 6% of companies. Just 3% suffered from an unauthorised access breach compared to 20% for those that haven't adopted these levels of authentication, the study showed.

Disruption costs
As well as the threat to business and reputation caused by loss of confidential information, security breaches also caused significant business disruption to firms - more than one month in 15% of the cases. Rather than simple downtime, which is the main disruption from viruses, it was significant staff and management time that was lost as a result of confidentiality breaches, according to the study.

Such breaches also incurred the largest direct cash cost of any security incident - more than £100,000 in legal fees, investigation costs and fines in 15% of cases.

PricewaterhouseCoopers' Chris Potter, said: "Companies have traditionally been poor at setting up new users and deleting leavers from their systems. We are increasingly seeing businesses automate these processes.

"While most businesses over-rely on passwords, large organisations are also starting to adopt strong authentication methods such as smart cards and tokens to check users' identity. A comprehensive approach to identity management includes strong authentication, access control and provisioning.

"The results of this survey clearly demonstrate the benefits early adopters have gained in terms of reduced security incidents."

An 'Identity Management' factsheet, sponsored by identity and access management solutions provider Entrust, can be downloaded from the Information Security Breaches Survey website (see link above/right).

Johnny Thomson