Network: SOS: safeguard our software

We would all agree that knowledge is power, and that information is a key power source. But many businesses underestimate the value of the information they have amassed, until a security breach occurs and forces them to realise what's been lost.

One story unearthed in the Business Information Security Survey (Biss), launched by the DTI's Barbara Roche MP last week, concerns a further education college whose computers constantly fell prey to viruses generated by teenage student pranksters. Mature students, coming to classes in the evenings, would regularly find the computers unusable or malfunctioning.

David Masding, of the National Computing Centre (NCC), who supervised qualitative research for the survey, describes how the college solved the problem: "Software packages were developed with strict password controls. The college felt more protected, and has recently opened a revenue-generating, secure cyber cafe business."

While this particular tale had a happy ending, other organisations have been less lucky. One in five of the 1,000 companies surveyed admitted suffering a serious security breach - everything from power failure to internal computer hackers. Those reporting breaches calculated an average loss of pounds 7,000 each time - with larger companies losing up to pounds 20,000 - but real costs, including restoration, were often found to be three times as high as the initial projection.

"One local authority had a pounds 500,000 theft which involved thieves bringing PCs and laptops to a central point, where they crowbarred them and took out the memory chips for reselling. The machines had to be scrapped," said Masding. Consequently, the authority faced three days without any IT resources. In another case, a hospital had to fork out pounds 100,000 to rid itself of an unknown virus that had crippled office productivity software. Three years later, the problem is still not completely eradicated.

Survey chiefs at the NCC, along with partners from the DTI, Sysdeco Solutions, AT&T and the UK IT Security, Evaluation and Certification (Itsec) scheme, had previously targeted IT managers, but came to realise that the issue of information security needed to be more widely recognised. "It is not a boardroom issue in many organisations," says David Masding. "People rate information security highly, but when we ask how many have actually put a plan into effect, there are very few. When you look at small organisations, only a third have any document that sets out company policy. They think that because they are small, they are not going to have a problem. Yet those organisations are probably more dependent on their information than larger ones. They are totally reliant on the PC in the corner."

The Internet is becoming an increasingly important factor. With the number of employees using the Internet predicted to grow by 85 per cent this year, a growth in security breaches seems inevitable. Four-fifths of respondents, for instance, said they did not use data encryption; many assumed it was built in already. "Ironically, the Internet is an insecure medium because it was designed for resilience, not reliability. As a result, it is an open and flexible technology. It does not generally protect the integrity or confidentiality of data," the report says.

Interestingly, with just 10 per cent of respondents using the Internet for commerce, only a few mentioned that the threat of security breaches made them wary of using it for electronic commerce. "Apathy, or perhaps lack of curiosity, was a more prevalent reason for not embracing the Net - 42 per cent could see no business reason," the survey authors concluded. "But once true interest is fuelled, it is likely that more will focus on security issues."

Internal errors - either malicious or incompetent - accounted for many of the breaches reported. "Someone within an organisation is probably in a better position to hack. You have to have more and more sophisticated ways to control it. A fire wall, for instance, will detect the traffic coming through legitimately," said David Masding. "But educating and training staff is key."

Tim Moore, deputy manager of the Itsec scheme, added: "There is a lack of concern about unauthorised access and IT managers are still unaware of best practice regarding security. For instance, only a quarter of organisations had heard of the BS7799 benchmark for information security management, and less than half were aware of the 1990 Computer Misuse Act." Hacking is here to stay - there were around 250,000 attacks last year on military IT systems, according to the Defence Intelligence Systems Agency.

Best practice, a term associated with the BS7799 management standard, involves a series of key points, which include issuing a security policy document, allocating responsibility to individuals, providing training, developing a system where incidents can be reported and introducing virus controls (scanning floppy discs, for instance).

But Biss authors say that companies should carefully measure their response: "You should undertake a considered review of security across your organisation, not an isolated investigation into areas with a compelling media profile, such as hacking." Stress levels among employees rise as they watch their computers crash - but it is a bigger headache when their companies lose priceless and often irretrievable information. Biss warns: "You can end up producing islands of security in a sea of risk. Lightning can and does strike more than once in the same place."

For a copy of the survey, call 0161 228 6333.