UK companies have insufficient IT security plans according to survey

17 March 2003

The majority of British companies are still failing to fully address IT security risks, according to a survey of senior IT managers conducted by BCS and Henley Management College.

A newly published survey, 'Information Security Policy Management', questioned senior IT managers on the issue of IT security and revealed that many organisations do not have sufficient plans in place to manage potential threats to IT systems.

Whilst 91% of companies surveyed have security policies in place to avoid or reduce threats, many do not have full contingency plans for different events that may damage or compromise their systems. Less than half of organisations have formalised procedures for a threat such as a bomb or fire and only a third have a formal plan of what they would do in the event of a virus bypassing their anti-virus software.

39% of respondents thought breaches of confidentiality were the main risk to corporate data compared to 20% who thought availability threats through service failures were the main risk. It was generally perceived that there was a greater risk of problems being generated internally rather than by external factors. Internal fraud and abuse was seen to be the biggest threat to IT security, rated as high or medium by 72% of organisations.

Whilst half of respondents believe a security culture is fostered within their company, it was felt that a lower priority was given to promoting such a culture through education and training. Just 41% of organisations facilitate IT security training and 26% recruit IT security professionals.

The survey revealed that company Boards demonstrate a varying level of interest in the issue of IT security. Only a third of respondents felt their Boards took a proactive interest in the issue of IT security and it was felt that security was more likely to be seen as an operational issue while the potential risks were unappreciated.

According to BCS Chief Executive David Clarke, "As the biggest concern of the respondents' related to confidentiality and internal fraud, it is clear that spending more money on technology is not always necessary. Appropriate investments need to be made in expertise and training to encourage greater awareness of the potential risks to IT systems."

For further information please contact the BCS Press Office.