One in three large businesses in the uk had their websites attacked by hackers last year

One in three of the UK’s larger companies suffered hacking attempts on their websites in the last year, a new survey shows. Although businesses are confident their security defences are adequate, there are concerns that such comfort is misplaced. Businesses that were scanned reported an average of one probe each week, while 4% said their systems had been penetrated, four times as many as two years ago.

These are among the initial findings from the 2004 Department of Trade and Industry’s biennial Information Security Breaches Survey, conducted by a consortium led by PricewaterhouseCoopers. The full results of the survey will be launched at InfoSecurity Europe in London, April 27-29.

Key findings from the survey of some 1,000 companies include:

* Three quarters of businesses that reported system penetration rated it as their worst security incident of the year (worse than, for example, virus infections), with more than a third describing the impact as ’very serious’;
* The main concerns were not so much financial loss or service disruption, but the time spent on investigation and remedy - a quarter took between two and 10 man-days of effort;
* Firewalls were the main line of defence against intrusion, with more than three quarters of businesses using one, although in 50% of the cases, this was their only defence;
* The larger the business, the more likely it is to have intrusion detection software as well;
* The number of smaller companies reporting hacking attempts was relatively low but has risen significantly since the last survey in 2002; the speed of the rise is, however, worrying given the growing dependence on websites;
* Around half of all businesses have their websites hosted externally and so rely solely on their provider for security, yet worryingly many were unaware of what defences those providers had against attack;

* Yet, despite increasing network security incidents, businesses remain largely satisfied about the effectiveness of defences, with 72% expressing confidence in their ability to detect or prevent security breaches;
* But this confidence may be misplaced because many organisations do not test their network security, although larger organisations are tending to use more tools to scan their systems for vulnerabilities;
* Businesses that carry out these checks reported more attempts to probe their website security but also said they had suffered less actual penetration of their systems by outsiders.

These findings are published in a fact sheet - ’Intrusion Prevention’ - sponsored by McAfee Security.

Andrew Beard, the PricewaterhouseCoopers advisory services director involved in the survey, said:

The survey findings point to a real concern that businesses without the right monitoring and intrusion prevention processes in place may have a false level of comfort. Scanning and hacking activity may not be detected until it is too late to react.

Sarah Whipp, senior director, EMEA marketing at McAfee Security, added:

The security challenge for business continues to grow as networks become more porous, intruders more sophisticated and the sheer variety of threats companies face increases. Proactive prevention technologies to combat both internal and external attacks are a commercial necessity.