9 July 2003

Public sector organisations are showing the commercial giants that they can lead the way when it comes to tackling information security failures but when it comes to fraud they don't know which way to turn.

Research just released by independent security and technology consultancy Detica shows that whilst 62% of public sector organisations believe they have a good understanding of fraud being perpetrated by those with access to their systems, almost half (48%) don't know exactly what fraud is going on and over 40% do not think they can defend themselves against crimes like corruption, financial theft and falsification. In addition, only 6% said they completely understood how much money they were losing with these types of fraud.

This comes at a time when the public sector is striving to meet e-government targets by having services online by 2005 and, according to the research, when they are fully aware of the threat of fraud, claiming it to be the biggest security issue facing e-commerce.

Martin Sutherland, head of public sector services at Detica, said: "Interestingly over half of public sector organisations (53%) claim to have teams in place to deal with insider fraud and 38% have internal resources to cope with outsider fraud and yet they don't seem to know who or what they are fighting. This would suggest a huge waste of resources being diverted to fighting fraud after it has happened rather than working to predict and stop the fraud in the first place.

" It's time for the public sector to turn from fraud watchdogs to bloodhounds and to start to look at ways to predict and prevent fraud. For instance how many departments have processes in place to prevent staff tweaking with benefits or payments systems? Likewise, are sufficient systems in place to prevent a fraudster hacking into a departmental system and accessing highly confidential information? "

On a more positive note, whilst public sector organisations appear to be in the dark when it comes to fraud detection and prevention, they are ahead of the commercial pack when it comes to information security. Although the numbers of directors aware of BS7799 - the code of practise for information security - is dropping year on year, awareness amongst the public sector is highest with 36% having heard of it compared to none in telecommunications, travel and utility companies and just 14% in financial organisations.

When dealing with security incidents the public sector wins again with 65% of organisations claiming to have teams ready to act in the event of a security breach. However the situation is similar to dealing with fraud with organisations best placed to react after a breach rather than diverting resources towards prevention.

Added Sutherland: "The commercial sector looks more to short-term ad-hoc technology solutions implemented on a project by project basis to tackle security. Public sector organisations, quite rightly, are more likely to take a more strategic view on information security. By taking one step further in extending an overall strategy to include prevention as well as cure in both security and fraud, government departments and agencies could be going a long way to saving millions of pounds in either catching internal and external fraudsters before they act or in saving valuable resources in picking up the pieces after an incidence of fraud or security failure. It's high time to let the hounds loose."

The research entitled Information Security in the UK 2003 was commissioned by Detica and conducted by The Ashdown Group to ascertain the current situation at 140 FTSE 500 companies and major public sector organisations. Interviews were conducted in April 2003. For a copy of the research report, please contact Lucy Bartley by e-mail: lucy.bartley@detica.com

Nick Miles Text 100 Public Relations Tel: +44 (0)208 846 0700 email: