Staff misuse of the Internet risks damaging reputation of UK companies.
Staff misusing the Internet by accessing inappropriate websites or engaging in excessive web-surfing remains the second largest cause of reported security incidents after viruses for large UK companies, according to findings from the 2006 Department of Trade and Industry’s biennial Information Security Breaches Survey.
Some 90% of all companies said protecting their reputation was one of the most important drivers for information security. Some 88% of business Internet connections are now broadband, increasing the risk of damage to reputation through staff misuse of web or email. In recognition of this, one and a half times as many companies have an acceptable policy for Internet usage as two years ago: 63% of all companies and 89% of large ones have an acceptable usage policy. This is more than have an overall information security policy.
After the sharp rises in staff misuse levels seen two years ago, the number of companies affected has now stabilised, reflecting the impact of the improved levels of control. One in five companies overall was affected. Two-thirds of large businesses had at least one misuse incident in the last year. Some small companies reported hundreds of email abuses every day.
However, there are many UK businesses that are not taking the risks seriously. Three-fifths do not block access to inappropriate websites. Only one in six scans outgoing email for inappropriate content.
Key findings from the telephone survey of 1,000 companies include:
* Some 97% of companies now have an Internet connection and 88% of these are broadband; in the 2004 survey Internet usage was at 93% but most small business connections were dial-up.
* 17% of UK businesses suffered staff misuse of web access and 11% had misuse of email. Larger companies are more likely to have incidents involving staff misuse – 52% had web misuse and 43% had email misuse.
* 41% of the worst incidents involved staff accessing inappropriate websites and a further 36% of worst incidents related to excessive web surfing. The most serious of such incidents involved access to illegal material; several companies reported incidents of staff accessing child pornography.
* The average cost of individual incidents of misuse was relatively low compared with other types of security breach, with less than 10% causing business disruption or direct cash costs.
* Technology, telecommunications and utility companies were most likely to report incidents; retail and travel were the least likely.
* There has been a big increase in the proportion of UK businesses that filter incoming email for unsolicited messages (spam); two thirds of the businesses that do not scan incoming emails for viruses do filter for spam and block suspicious attachments.
* Protecting confidential information sent by email is still rare – in only a quarter of UK businesses can staff send encrypted email to the company’s business partners.
* Roughly one in five UK companies allows staff to download free auto-address software onto their PCs despite the fact that such software often stores confidential information such as email addresses on a third party’s servers.
Chris Potter, the partner from
PricewaterhouseCoopers LLP leading the survey, said “As companies implement better controls around email and web usage, they tend to detect misuse already happening. Where those businesses have an acceptable usage policy in place, they are nearly three times as likely to detect misuse as those that don’t. It is very hard to police this area if you haven’t agreed what an acceptable usage policy is.
“An increasing number of companies are using email to communicate with customers and business partners. Given how important reputation is to businesses, it is surprising that five-sixths do not scan outgoing email for inappropriate content. Companies that scan their outgoing emails are much more likely to detect any misuse, but the worry is that the others may be letting inappropriate content slip through, to the potential detriment of their reputation.”
Ian Bowles, senior vice president, global operations, Clearswift said: “These findings back our belief that prevention is indeed better than cure when you’re talking about managing email traffic. The problem with giving employees easy access to email and the web is that the potential for damage is immense. Despite an increased awareness of the issue, employees are still the weakest link in the security chain”.
The survey was conducted by a consortium led by PricewaterhouseCoopers LLP. The full results of the survey will be launched at Infosecurity Europe in London, 25-27 April.