New technologies, like the use of handheld devices (PDAs) and wireless networking, are creating fresh risks that public services are only slowly reacting to. And, despite better ICT security systems, a 'culture of complacency' and a failure to ensure that staff understand the rules is undermining the effectiveness of ICT security arrangements.
Since the last survey in 2001, the new report points to some improvement in ICT security, with security policies in place at 96% of organisations. It also recorded a fall in the incidence of 'business disruption' (viruses or other deliberate acts aimed at denying users access to systems), making up only 20% of cases in the 2004 survey compared with 39% in 2001.
But the report does reveal:
--a 13% growth in reputational risks, including staff accessing pornography or other inappropriate material (52% of cases in 2004 compared to 39% in 2001);
--financial risks continuing to mount (28% of cases in 2004 compared to 22% in 2001); and
--evolving technology (like wireless networking) presenting a challenge that organisations do not fully appreciate (64% of respondents put wireless networking in the low/medium risk category).
The report focuses on the key role staff play in ICT security. Yet only 50% of organisations initiate staff training in ICT security systems, and only a third of organisations inform their staff about their ICT security policy and what staff should be doing.
Alongside the report the commission has produced a self-assessment questionnaire for chief executives and other senior managers to use when considering their own organisation's susceptibility to ICT fraud and abuse.
Steve Bundred, chief executive of the Audit Commission said: 'The growth in new technology - through PDAs and wireless networking, for example - coupled with the greater sophistication of hackers and fraudsters, mean that the risks remain significant.
'ICT security is only as effective as the staff within the organisation, and too often we are finding that staff are unsure of their role. If we fail to get this right we risk eroding the confidence of citizens in the electronic systems that underpin public services.
'We recommend that chief executives and other senior staff review their organisations against the set of questions we've developed.'
To help local government and health bodies tackle ICT fraud and abuse, the commission has developed the Your Business at Risk database, against which organisations can compare their ICT security measures against a range of other organisations. To use YBAR, local government and health bodies should contact their appointed auditor.
Both the report and self-assessment are available on the Audit Commission's website at www.audit-commission.gov.uk
The ICT fraud and abuse survey was carried out during October - November 2004. 407 bodies completed the survey, including local government, police and fire authorities, NHS bodies, central government departments, non-departmental public bodies and agencies.
The 2004 survey is the seventh conducted by the Audit Commission.
* The report is available here.
The Audit Commission is an independent watchdog responsible for ensuring that public money is spent economically, efficiently and effectively. Our remit covers more than 12,000 bodies which between them spend nearly£100 billion of public money each year.
We are active in local government, health, housing, criminal justice and fire and rescue services and consequently have unrivalled insights into the overall impact of public services on users.
In addition to making sure that taxpayers receive value for money, our aim is to provide impartial information on the quality of public services. We also act as a force for improvement by providing practical recommendations and spreading best practice.
We are committed to working in partnership with other regulators and to ensuring that our own activities also represent value for the taxpayer.
Further details about the Commission can be obtained from its web site www.audit-commission.gov.uk
For further information please contact:
Martin Bollers, Head of Communications Strategy & Implementation
Tel: 020 7166 2145
Fax: 0845 052 2617
Mob: 07899 062 015
Email : email@example.com