The priority given to security has translated into action. UK companies are spending more on information security controls than ever, on average 4-5% of their IT budget, up from 3% in 2004 and 2% in 2002. The increased expenditure is leading to better adoption of security controls; for example, three times as many companies have a security policy as did six years ago, and 98% of businesses have anti-virus software in place.
This investment appears to be paying off. Fewer companies had security incidents than in 2004 when the survey was last undertaken. Overall, 62% of businesses have had a security incident in the past year, down from 74% two years ago. Large businesses continue to be more security-conscious and they have reaped rewards as the total cost to them of security incidents has fallen by 50% over the last two years.
However, the burden of security incidents is falling on small businesses where security controls tend to be less well-developed. The average number of incidents suffered has risen by 50% to roughly eight a year. The average cost (principally business disruption cost rather than cash losses) of a UK company's worst security incident was approximately £12,000 - up from £10,000 two years ago. Overall, an indicative estimate of the total cost of security breaches to UK plc is up by 50% from two years ago, and is around £10 billion per annum.
Greater use of emerging technologies is changing the nature of the security threat UK businesses face. Companies are slow to adopt controls to reduce this threat. A quarter of UK businesses is not protected against spyware. Although more wireless networks are protected than two years ago, one in five is still completely unprotected and a further one in five is unencrypted. 55% of firms have not taken any steps to protect themselves against the threat posed by removable media devices. Two-fifths of companies that allow staff to use Instant Messaging have no controls in place over its use. Of the companies that have implemented Voice over Internet Protocol (VOIP) telephony, half did so without evaluating the security risks.
Chris Potter, the partner from PricewaterhouseCoopers LLP leading the survey, said: "Overall, UK businesses are more aware than ever of the risks they face from information security breaches, in an environment where threats are on the increase, but some still seem to believe they are immune to the dangers and don't have even basic security controls in place. This is particularly worrying as we see new technologies emerging that pose new threats to UK plc. Businesses cannot afford to become complacent.
"What is clear is that the cost to UK plc has never been greater and companies should take steps to put security in place to protect themselves against unwelcome - and expensive - security breaches."
The Rt Hon Alun Michael, Minister for Industry and the Regions, said: "We commission this survey every two years because knowledge is a vital weapon against the growing scale and sophistication of the threats to security.
"We are working with companies small and large in many different ways to help them fight back against the threats to their business, and there has been a steep rise since the last survey in the amount of money spent on security by UK firms.
"The number of companies affected has dropped slightly since the last survey but there is no room for complacency. The cost of the damage caused by the attacks on security has risen as the nature of the attacks has become more serious. That's why it's crucial to have good security in place, which also respects the way that ICT is used within the business so that security is not an inhibitor to effective working."