Investment by UK Companies in Security is Paying Off

Three-quarters of UK businesses rate security as a high or very high priority for their senior management or board of directors, according to the latest government-sponsored survey of information security breaches in the UK, conducted by a consortium led by PricewaterhouseCoopers LLP. The priority given to security has translated into action. UK companies are spending more on information security controls than ever, on average 4-5% of their IT budget, up from 3% in 2004 and 2% in 2002. The increased expenditure is leading to better adoption of security controls; for example, three times as many companies have a security policy as did six years ago, and 98% of businesses have anti-virus software in place.

This investment appears to be paying off. Fewer companies had security incidents than in 2004 when the survey was last undertaken. Overall, 62% of businesses have had a security incident in the past year, down from 74% two years ago. Large businesses continue to be more security-conscious and they have reaped rewards as the total cost to them of security incidents has fallen by 50% over the last two years.

However, the burden of security incidents is falling on small businesses where security controls tend to be less well-developed. The average number of incidents suffered has risen by 50% to roughly eight a year. The average cost (principally business disruption cost rather than cash losses) of a UK company's worst security incident was approximately