- Published: 03 May 2012
- Written by NStinchcombe
· Only 38% of large organisations ensure that their data held by external providers is encrypted
- · 56% of small businesses don’t check their external provider’s security
- · Half of organisations of national importance use cloud for business critical data
Many UK companies are failing to keep a proper check on the security of their data held by third parties offering cloud computing services, new research shows.
Although three-quarters (73%) of organisations are using at least one outsourced service over the Internet, only 38% of large organisations ensure that data being held by external providers is encrypted. Furthermore, more than half (56%) of small businesses don’t carry out any checks on their external providers’ security and rely instead on contracts and contingency plans.
These are some of the worrying preliminary findings from the 2012 Information Security Breaches Survey (ISBS) written by PwC in conjunction with Infosecurity Europe and supported by the department for Business, Innovation and Skills. The results will be revealed in full at Infosecurity Europe on 24 April following a keynote speech by BIS minister David Willetts.
Chris Potter, PwC information security partner, said:
“The Internet continues to facilitate more sophisticated business relationships. Businesses are putting their faith in third parties to take care of their data but many are taking a laissez faire attitude to the security element. Not only are they often completely leaving the security controls to third parties, they are not actually checking what controls those third parties have in place.
“Small businesses may think that because their data is being hosted by a large cloud provider that good security controls will be in place, but this isn’t necessarily the case. Companies should always check what security controls their providers are operating.”
Around a quarter of large organisations and one-fifth of small ones have extremely confidential data hosted on the Internet - with website, email and payment service provision the most commonly used cloud services. Half of organisations of national importance, such as financial services, telecommunications and utilities, critically depend on them.
Many small businesses rely only on a contingency plan to move the outsourced service if there are issues. Yet, a third of contingency plans to deal with systems failure and data corruption prove ineffective. The survey shows a strong correlation between the effectiveness of contingency plans and the seriousness of breaches. When contingency plans do work, less than half the incidents were serious; when the plans failed, four-fifths were serious.
The biggest blind spot in contingency planning is the infringement of laws and regulations, where only a fifth (18%) of affected organisations had a contingency plan. Further to this, 45% of large organisations breached data protection laws in the last year and this happened at least once a day at one in ten of them. After the most serious breaches, organisations improved their processes and technology and also trained their people. This reinforces the evidence that the worst security breaches are due to multiple failures in a combination of people, process and technology.
Chris Potter, PwC information security partner, said:
“Too many contingency plans are currently ineffective. Organisations should be frequently stress-testing their plans, especially because the survey shows a direct correlation between contingency planning and the severity of breaches. Rather than relying on contingency plans, organisations would be in a much more powerful position if they were to secure their data in the first place.”
ENDS
Contacts:
Chris Potter, partner, PwC
Tel: 020 7212 3640, Mobile: 07808 783279, Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Elizabeth Faulkner, media relations, PwC
Tel: 0207 213 1018, Mobile: 07877 758 609, Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Neil Stinchcombe, PR, InfoSecurity Europe
Tel: 0207 183 2833, Mobile: 07947 613 303, Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Notes to Editor:
1. Survey methodology
The survey findings are based on responses from security professionals in 447 UK + Channel Islands organisations spread across all industry sectors, of which roughly a fifth were from the public sector.
2. About Infosecurity Europe
Infosecurity Europe is Europe’s number one information security event, featuring over 300 exhibitors and visitors from every segment of the industry. Organised by Reed Exhibitions, the world’s largest tradeshow organiser, Infosecurity Europe runs from the 24th – 26th April 2012, in Earls Court, London. For further information please visit www.infosec.co.uk
3. About PwC and information security
Our security practice, spanning across our global network, has more than 30 years experience, with over 200 information security professionals in the UK and 3,500 globally. Our integrated approach recognises the multi-faceted nature of information security and draws on specialists in process improvement, value management, change management, human resources, forensics, risk, and our own legal firm. PwC has gained an international reputation for its technical expertise and strong security skills in strategy, design, implementation and assessment services, and as such, was recognised as a leader in the Information Security And IT Risk Consulting field by Forrester Wave in 2010.
4. About PwC
PwC firms help organisations and individuals create the value they’re looking for. We’re a network of firms in 158 countries with close to 169,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.
"PwC" is the brand under which member firms of PricewaterhouseCoopers International Limited (PwCIL) operate and provide services. Together, these firms form the PwC network. Each firm in the network is a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of their professional judgment or bind them in any way.
2012 PricewaterhouseCoopers. All rights reserved.
