Small businesses are failing to adopt the security controls needed to protect their customers' information, according to the Department of Trade and Industry.

The DTI’s 2006 biennial Information Security Breaches Survey showed that increasing volumes of business being conducted online have raised the priority given to protecting customer data.

Most large organisations appear to have adopted best practice regarding network and data security and 78% of those who accept financial transactions now encrypt the data they receive to ensure its confidentiality and integrity. However, smaller firms are less likely to provide the required protection; less than a third encrypted the data they received.

Nine-tenths of respondents recognised that protecting customer information was important or very important and a strong justification for security expenditure. This has become one of the biggest drivers for IT security spending.

Key findings from the telephone survey of 1,000 companies include:

  • Increasing volumes of online business are raising the priority given to protection of customer data. 90% of firms considered this important or very important, and a strong justification for security expenditure.

  • There was a rise in the number of companies that reported an attack on their internet or telecommunications traffic. Over a quarter of those affected by attempts to break into their networks said they suffered at least one significant attempt every day.

  • The businesses attacked tended to be those that accept financial transactions online. All the websites that accept financial transactions are behind a firewall.

  • Fewer than two-thirds of websites accepting financial transactions encrypt the data they receive. In contrast, every transactional website run by a very large respondent uses encryption.

  • Controls over authorised wireless networks have improved. The number of unprotected networks has halved since 2004. One in five firms still lacks any controls.

  • Few small businesses use VOIP (voice over internet protocol, enables a channel to be opened through a firewall) and 31% of large businesses have adopted VOIP and more are planning to use it over the next year. Half of the businesses that have implemented VOIP did so without evaluating the security risks.

    The full results of the survey will be launched at Infosecurity Europe in London, April 25-27.