The Department of Trade and Industry's Information Security Breaches Survey 2002 has shown that the average cost of each serious security breach weighs in at around £30,000
The number of UK businesses that have suffered a malicious security incident since 2000 has almost doubled, while the average cost to British companies of each security breach comes in at £30,000. Indeed, several firms have reported incidents that have cost them no less than £500,000.

These are the main findings of the Department of Trade and Industry's (DTi) 'Information Security Breaches Survey 2002'.

The survey highlights an apparent paradox within UK business. Initial results show that companies are moving swiftly towards embracing the information economy, with most identifying information security as a priority. However, lack of investment in security systems is allowing too many companies to fall victim to increasing security breaches, as highlighted by the above statistics.

Believed to be the most comprehensive survey on information security in the UK to date, the research was conducted by RSA Security, Symantec, Genuity and Countrywide Porter Novelli led by Pricewaterhouse Coopers. It shows that 75% of UK businesses believe that they hold sensitive or critical information, and yet in spite of this only a quarter of them have a security policy in place.

Information security has never been higher on the Boardroom agenda, with three quarters of UK firms questioned identifying it as a "high priority" for senior management (compared to 50% in the 2001 survey). However, there's a clear 'disconnect' between this and actual practice.

Consequently, almost half of all companies (ie four out of five larger businesses) have fallen victim to viruses, hacking attacks, fraud and other information security 'invasions' over the past 12 months. As recently as 1998, that figure was less than one-in-five.

The survey also shows that UK businesses are not spending anywhere near enough to protect the business they're conducting online. Just one quarter spend more than 1% of their IT budget on security (3-5% is acknowledged as the minimum reasonable level, rising to an average of 10% in high risk sectors such as financial services).

The main reason for the lack of investment appears to be a failure to recognise the economic return. Less than a third of companies ever bother to evaluate the return on investment on their security expenditure.

Speaking exclusively to Security Management Today about the survey results, Pricewaterhouse Coopers partner Chris Potter said: "Most businesses we surveyed expect the number of data security incidents to rise over the coming year. Companies will need to take action now to translate their commitment to information security into reality."

Copies of the DTi survey are available from Rebecca Rainsford or Penny Hawley (on 020 7853 2266 or 07720 277143 respectively).