The figures from the report blame the rise partly on the increasing use of cloud computing and social networks within enterprises.
Fifteen percent of large companies say their IT resources have been accessed by an unauthorised outsider in the last 12 months, and 25% had suffered a denial-of-service attack – double the number logged in 2008.
Confirming a Gartner report earlier this year, the study also found that more than 75% of respondents said they were using cloud computing and Software-as-a-Service facilities.
Adoption of new technologies
The report notes that the rate of adoption of newer technologies has accelerated over the last two years, with most respondents now using wireless networking, remote access and VoIP.
Eighty-five percent of smaller organisations are now using wireless technology – almost double the use in 2008.
The number of organisations allowing staff to have remote access to their systems has also increased with around 90% of large companies now doing this.
The report concludes that outsourcing IT services does not make the security risk go away, but few companies are taking enough steps to ensure their outsourced services are not vulnerable to attack. “Only 61% of organisations are ensuring that their contracts with third party suppliers include security, and only 17% check that third party organisations encrypt sensitive information”, said Potter, a OneSecurity partner with PwC,.
Potter said that very few organisations are encrypting data held on virtual storage, including the cloud.
"Virtualisation and cloud computing seem to be set to follow the trend, established over the last decade, of controls lagging behind adoption of new technologies", he said.
"Given the increased criticality and confidentiality of information held on virtual storage, organisations need to respond quickly to close this control gap", he added.
Follow the rules
Andrew Beard, OneSecurity director with PwC, said that it seems that organisations will respond to specific requirements mandated by government or other authorities, but when the requirements are less explicit, adoption of good practice is lower.
"Assurance reporting appears to increase organisations' level of comfort. However, as adoption of the assurance reporting standards remains low, it seems likely that some organisations have a false sense of security", Beard said.
"Staff postings to social networking sites pose a new data leakage risk. Yet, at the same time, social networking is increasingly important to businesses", he added.
"Organisations are reassessing their approach to controlling staff access to the internet. The trend, established between 2006 and 2008, of allowing more staff to access the internet has been reversed."
"Nearly half of large organisations now restrict which staff can access the internet; less than a third did so in 2008."
"Organisations want to allow effective use of the internet, but reduce inappropriate use. Use of software to block access to inappropriate websites is slightly up on two years ago."
"Web access logging and monitoring is relatively static. However, more sophisticated use is being made of these tools than in the past. Organisations are one and a half times as likely to monitor postings to social networking sites if social networking is considered very important to their business", he said.
Security spending however, is increasing, and is set to do so in 2011, according to the survey. “Sometimes security spending is misplaced”, argued Beard, who insists that more money and efforts should be spent on increasing infosecurity awareness.
John Colley, managing director, (ISC)2, commented on the survey results: “The spectacular reversal of fortunes reported in the BIS Information Security Breaches Survey 2010 proves that more security controls do not necessarily add up to more control. Despite the fact that more companies are placing a high priority on security, establishing formal security policy, and even investing in more controls, the opportunities to exploit are multiplying.”
“Clearly the opportunists are being strategic; more of the same is required of their victims”, Colley continued. “With 44% of companies entrusting critical services to third parties, and only 17% encrypting the sensitive data held with third parties, companies are making some basic errors.“
Lastly, Colley argued that throwing more or new technology at vulnerabilities caused by social networking behaviour is not the answer. “This report confirms that the pressures driving demand for information security services today speak to core business priorities that demand professional assessment. Only then will we see the strategic enterprise-level response to the risks that is required”, he concluded.