������ý

The finding announced last week that British businesses lose around
£1.1 billion a year through breaches in computer security has been
described as ‘a conservative estimate’ by the National Computing Centre.
It has called on the government to take a lead in helping firms to take
security measures. The survey* of businesses which use computers was conducted
jointly by the Department of Trade and Industry, the NCC and the computer
company ICL.

Lord Reay, the DTI’s technology minister, describes computer security
as ‘a very considerable problem’. The DTI is already funding a campaign
to make companies more aware of computer security. But Bill Murray of the
NCC says ‘the DTI could lead the way on preparing codes of practice’ in
order to give an outline of what companies should do.

Security breaches can be divided into physical breaches such as theft,
fires, floods or lightning strikes, and logical breaches such as hacking
and software errors. The survey found that physical breaches cost Britain
around £580 million every year, and logical breaches around £530
million.

Over 8000 companies were questioned on their computer security over
the past five years. About 900 replied, and more than half of these reported
a significant physical breach during that time. The national figures were
calculated by assuming that 50 000 businesses in Britain use computers.

The figures only include the immediate cost of breaches, and not the
knock-on costs such as loss of business while the problem is being fixed.
The true cost could be several times as high. One finance company, whose
data centre was completely destroyed by a fire and flood, said that while
the immediate cost was £8 million, the overall cost amounted to
£24 million when loss of business was taken into account.

Most of these losses could be saved if companies changed their security
procedures and devised contingency plans, says Tom Parker, principal security
consultant at ICL. The organisations which conducted the survey say that
businesses are remarkably casual about computer security. Only half the
companies which responded have a policy on computer security, despite the
average immediate cost of a fire being nearly £3 million and that
of an outsider hacking into the company’s system £23 000.

On average, unauthorised access from within a company costs £4000
and viruses £12 000. Parker points out that it costs very little
to introduce computer passwords and to insist that floppy discs are checked
for viruses before use. But these figures were compiled only from those
companies which owned up to security breaches and are almost certainly an
underestimate. ‘The finance and business services industry reported not
one major loss through fraud,’ says Parker.

Both the NCC and ICL called last week for a clear lead from the government
on encryption, the coding of information into a form that can only be decoded
by users authorised to do so. But regulations on encryption vary between
nations, making security very difficult for international companies. ‘We
need a clear picture from governments around the world on which codes should
be used,’ says Parker.

*IT Security Breaches Survey Summary, Security Division, NCC Consultancy
Group. Tel: 061-228 6333. Price £145.