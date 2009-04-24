from the la-la-la-we-can't-hear-you dept.
UK businesses' response to security breaches has "astounded" experts following the release of the government's official cybercrime stats for 2024.
The report from the Department for Science, Innovation and Technology (DSIT), released today, painted security as more of an afterthought for UK businesses, especially when considering the figures about how breaches are handled.
Some of the figures are remarkably low. For example, only 22 percent of 2,000 businesses have a formal incident response plan in place, which has "astounded" experts.
"Only a fraction of UK businesses have any kind of formalized incident response plan, which I find astounding," said Andy Kays, CEO at Socura. "Businesses will always have a plan in case of a fire, but will not apply the same due care for a data breach – which is statistically much more likely. It flies in the face of common sense."
The reporting of breaches to external authorities and organizations is also low. Only 10 percent of businesses ring the police when they detect the most disruptive breach in the previous 12 months – a stat that's halved when looking at who reports incidents to the National Cyber Security Centre (NCSC).
Reporting rates to arguably the most important entity, the Information Commissioner's Office (ICO), weren't even included in the report since the watchdog didn't make the top ten organizations that receive reports of breaches. Banks, building societies, and credit card issuers, on the other hand, placed first – 32 percent of businesses reported incidents to them.
Clients and customers were only alerted 5 percent of the time.
In most cases (68 percent), organizations don't deem the incidents significant enough to report to anyone. Other excuses included not knowing where to report incidents (13 percent of businesses), thinking a report would make no difference (9 percent), and incidents being too recent to allow time to report (4 percent).
As for the action taken, as many as 39 percent of businesses took no action following their most disruptive breach in the previous 12 months. Most defaulted to delivering more training to staff (23 percent), with a much smaller proportion making any changes to firewalls (9 percent) or anti-malware solutions (8 percent).
Small and micro businesses appear to be pulling the figures down considerably. Overall, 59 percent of businesses enacted some sort of organizational change following a breach, but medium and large businesses were much more likely to take action, with 74 and 86 percent of each respectively doing something to prevent further intrusions.
Breaches that resulted in material outcomes for victims, such as the theft of data, led to slightly different results. A greater diversity of measures were enacted by businesses and charities in this case, such as introducing new security tools, but still, 18 percent of businesses did absolutely nothing in response, even after a material breach.
"In the event of a breach, businesses are not keeping records, not informing the police or regulators, not assessing the scale and impact of the incident," said Kays.
"They are failing to do the bare minimum. It's also important to note that businesses are doing very little to prevent or detect breaches in the first place."
Figures from DSIT's survey also showed a general decrease in awareness of security initiatives and willingness to seek support.
(Score: 2) by Gaaark on Thursday April 11, @01:15AM
Probably the same results or worse would be found in every country heavily reliant on Microsoft products.
It's just easy to forget about security when you spend no money ON security because you spend it all on Windows, etc.
Why spend money on proper IT standards and people with actual skills? Buy MS security and fugged' about it!
