Unauthorised User Access To Computer Systems Increasing Headache For British Business, Survey Shows
11 Mar 2004
LONDON, UK (PriceWaterhouseCoopers press release) -- One in five of the UK's larger companies suffered security breaches of their information systems in the last year because of weaknesses in their approach to identity management, a new survey shows. This is one of the key, initial findings from the 2004 Department of Trade and Industry's biennial Information Security Breaches Survey, conducted by a consortium led by PricewaterhouseCoopers. The full results of the Survey will be launched at InfoSecurity Europe in London, April 27-29.
Other key findings from the telephone survey of some 1,000 companies include:
- Roughly one in ten large companies had a significant fraud or breach in confidentiality. More than half of all companies affected said it was their worst incident of the year, even outweighing virus infections;
- Confidentiality breaches caused significant business disruption (for more than a month in 15% of the cases) and took significant staff time to investigate, on average 10-20 man-days. These breaches also incurred the biggest direct cash cost of any security incident - more than £100,000 in legal fees, investigation costs and fines in 15% of cases;
- Companies' access controls are failing to prevent these incidents;
- The first root cause is that often the sheer number of users and systems puts user administration processes under strain. To counter this, companies are increasingly automating their processes for granting access to systems. 16% of all companies and 31% of large ones do this. Automating user provisioning appears to work. None of the respondents that had done this had suffered financial frauds or systems penetration from outside in the last year;
- The second root cause is over-reliance on passwords to check users' identity. Some 87% of all companies rely solely on user ID and password, while worryingly 7% have no controls at all. Businesses that adopt single sign-on without strong authentication had a higher than average incidence of unauthorised access. Tokens, smart cards and biometrics are only used in 6% of companies. This rises to roughly a quarter of the large businesses. The latter seem to be reaping the benefit with just 3% suffering from an unauthorised access breach compared to 20% for those that haven't adopted these levels of authentication.
These findings are published in a fact sheet - 'Identity Management' - sponsored by one of the world's leading identity and access management solutions providers Entrust.
Chris Potter, the PricewaterhouseCoopers partner leading the survey, said:
"Companies have traditionally been poor at setting up new users and deleting leavers from their systems. We are increasingly seeing businesses automate these processes. While most businesses over-rely on passwords, large organisations are also starting to adopt strong authentication methods such as smart cards and tokens to check users' identity. A comprehensive approach to identity management includes strong authentication, access control and provisioning. The results of this survey clearly demonstrate the benefits early adopters have gained in terms of reduced security incidents."
Philip Richardson, vice president, Northern Europe, Middle East and Africa, Entrust, added:
"It is amazing that one in five businesses experienced a security breach in the past year as a result of weaknesses in their approach to identity management when the technology needed to reduce this risk is now so readily available. However, the message seems to be resonating with senior executives and Board-level directors. Decision-makers are not only becoming more aware of the potential disruption and damage that security breaches can cause to business, but also that there are new information security governance concerns presented by the changing regulatory landscape."
ENDS
Notes to editors
1. About the Survey
The 2004 DTI Information Security Breaches Survey is the most authoritative survey about this issue in the UK. It is part of the Department of Trade and Industry's work with British industry to understand the impact of information security breaches. It aims to raise awareness among UK companies and public sector organisations of the value of effective information security management.
The survey was be conducted between October 2003 and January 2004 and is based on 1,000 telephone interviews with organisations of all sizes across all areas of the UK, plus a series of face to face interviews. A consortium led by PricewaterhouseCoopers is managing the 2004 survey. Other lead sponsors are Microsoft, Computer Associates and Entrust. Input has also come from the National Hi-tech Crime Unit, Royal Holloway, University of London, and the Information Assurance Advisory Council.
The full results of the seventh, biennial survey will be published at the InfoSecurity Europe exhibition and conference in London April 27-29.
The factsheet 'Viruses and malicious code' can be downloaded from http://www.dti.gov.uk/files/file9994.pdf
2. About Entrust
Entrust, Inc. [Nasdaq: ENTU] is a leading provider of Identity and Access Management solutions, enabling businesses and governments to transform the way they conduct online transactions and manage relationships with customers, partners and employees. Entrust's solutions promote a proactive approach to security that provides accountability and privacy to online transactions and information. Over 1,200 enterprises and government agencies in more than 50 countries use Entrust's portfolio of security software solutions. For more information, visit www.entrust.com
3. About PricewaterhouseCoopers
PricewaterhouseCoopers (www.pwc.com/uk) provides industry-focused assurance, tax and advisory services for public and private clients. More than 120,000 people in 139 countries connect their thinking, experience and solutions to build public trust and enhance value for clients and their stakeholders. PricewaterhouseCoopers has one of the largest information security teams in the world; its specialists have extensive experience of investigating security breaches and in-depth knowledge of the techniques available to protect against and limit the damage from such breaches.
Unless otherwise indicated, PricewaterhouseCoopers refers to PricewaterhouseCoopers LLP a limited liability partnership incorporated in England. PricewaterhouseCoopers LLP is a member firm of PricewaterhouseCoopers International Limited.