Around one in five of all UK companies suffered from their employees abusing use of the Internet last year, with nearly two-thirds of large businesses affected. Companies that experienced Internet abuse had an average of one incident a week. The two biggest causes were excessive personal emails and access to inappropriate websites. These are among the initial findings from the 2004 Department of Trade and Industryís biennial Information Security Breaches Survey, conducted by a consortium led by PricewaterhouseCoopers. The full results of the Survey will be launched at InfoSecurity Europe in London, 27-29 April.
Key findings from the survey of some 1,000 companies include:
Employees have access to the web in 89% of UK businesses (98% in large companies), up from 69% in 2002 when the survey was last carried out; the equivalent figures for access to Internet email are slightly higher;
Overall, nearly two-thirds of larger companies, and one in five of all businesses, reported staff misusing company systems, citing excessive web browsing, email misuse, unauthorised access to systems and legal infringements;
8% of businesses said their worst security incident of the year involved Internet misuse and roughly one in five of those had a serious impact;
The main impact of the incidents was disruption to the business during investigation, typically lasting up to a week and involving one to three man-days to sort out;
While incidents are clearly rising, there has not been a corresponding increase in the levels of control companies apply to prevent such problems. In particular, small and medium-sized enterprises that have recently granted their staff with access tend not to have implemented any controls over that access;
Whereas two years ago, 57% of companies blocked or quarantined emails, this has fallen to just 16%; indeed, nearly a third of companies now have no controls at all over email, compared to 12% in 2002;
Equally, the number of companies that restrict who can access the web has dropped to 29% from 45%, logging and monitoring acceptable sites to 20% from 45% and blocking access to inappropriate sites to 15% from 34%; Nearly a third of all companies (although just 4% of large businesses) now have no controls in place at all;
Companies logging and monitoring Internet access reported a higher number of incidents of misuse, implying that organisations without such controls are letting incidents go undetected;
With hindsight, companies that had suffered an incident of misuse rated better staff training followed by improved policies and additional technical defences as the main controls that could have prevented it from happening.
These findings are published in a fact sheet - ëStaff Misuse of the Internet í - sponsored by employee Internet management solutions provider Websense Inc.
Chris Potter, the PricewaterhouseCoopers partner leading the survey, said:
ìAs more businesses provide their staff with access to the Internet, the number of incidents of staff abusing that access is rising. It seems unwise to wait until a major breach before putting effective controls and plans in place. Unfortunately, many businesses, particularly SMEs, are doing exactly that. Our survey shows that only one in three companies that suffered an incident involving Internet abuse already had a contingency plan in place to deal with it. Where such plans did exist, however, most proved very effective at handling the problem.î
Johanna Severinsson, Marketing Director EMEA, Websense, added:
Every Internet connected desktop is effectively a whole personal entertainment system just waiting to be used. Providing open Internet access is both a distraction for employees and can result in serious security implications for companies. Inadvertent employee Internet activity is often the major cause of corporate security lapses through exposure to peer-to-peer file sharing, spyware and malicious mobile code, as employees are often unaware of the grave consequences of their innocent surfing habits. Every company with Internet access has a responsibility to ensure it is managed in order to protect both their shareholder value and their employees. Companies that choose not to put in place technology to enforce their Internet policy are not only failing to protect themselves, but also their employees, from the hidden dangers of the Internet.î
Employee Internet abuse on the increase
New Survey
