Page 1/1 

Thank you for agreeing to answer this questionnaire, which is being conducted by Reed Exhibitions Ltd, in association with the department for Business, Innovation and Skills and PricewaterhouseCoopers LLP. Your input is extremely valuable to us and in return for your participation; we are holding a prize draw for all those who complete the questionnaire with a prize of a Nintendo Wii for the winner. In addition, we will also send you an electronic copy of the survey results when they are published in April. At the end of the questionnaire, we will give you the option of providing your contact details, should you wish to be entered into the prize draw and to receive your copy of the survey results. Your contact details will be used solely for this purpose

About your organisation

1	How many staff does your organisation employ in the UK?
		None
		Less than 10
		10-49
		50-249
		250-499
		500-9,999
		10,000+
		Don’t know

2	Where in the UK is your organisation’s main location?
		Scotland
		Northern Ireland
		North West
		Yorkshire and North East
		Wales
		Midlands
		Eastern
		South West
		South East
		Greater London

3	In what sector is your main business activity?
		Financial services
		Telecommunications
		Technology
		Travel, leisure and entertainment
		Utilities, energy and mining
		Manufacturing
		Retail and distribution
		Property and construction
		Government, health or education
		Other

	Other, please specify

4	Which of the following technologies does your organisation use? (Select all that apply)
		Voice over IP telephony
		Wireless network
		Staff remote access to systems
		Virtualisation/use of virtual machines

Security breaches in the last year

5	How many times in the last year have….. Your systems
		None		Once only in the last year		A few times in the last year		Roughly once a month on average		Roughly once a week on average		Roughly once a day on average		Several times a day on average		Hundreds of times every day		Don’t know
	your systems accidentally failed or suffered data corruption
	your systems been infected by malicious software (such as a virus, worm, Trojan or spyware)?

6	Your staff
		None		Once only in the last year		A few times in the last year		Roughly once a month on average		Roughly once a week on average		Roughly once a day on average		Several times a day on average		Hundreds of times every day		Don’t know
	your staff misused their web access (e.g. excessive browsing, accessing inappropriate sites)?
	your staff misused their e-mail (e.g. sending messages with inappropriate content)?
	your staff gained unauthorised access to systems or data (e.g. using other people’s user IDs
	your staff infringed data protection laws/regulations?
	your staff obtained and misused confidential information (e.g. intellectual property, customer data)?
	your staff lost or leaked confidential information (e.g. through lost USB sticks, inappropriate sharing of data, etc.)?
	your staff used your computer systems to carry out financial fraud or theft?
	your staff stolen some of your computer equipment (e.g. laptops, memory chips)?
	your staff sabotaged your data or network?

7	Any unauthorised outsiders
		None		Once only in the last year		A few times in the last year		Roughly once a month on average		Roughly once a week on average		Roughly once a day on average		Several times a day on average		Hundreds of times every day		Don’t know
	any unauthorised outsiders tried to break into your network (e.g. a significant scan or probe against your Internet gateway, dial-up or wireless network)?
	any unauthorised outsiders succeeded in penetrating your network?
	any unauthorised outsiders launched a denial of service attack (against your web-site or Internet gateway)?
	any unauthorised outsiders attacked your Internet or telecommunications traffic (e.g. wire-tapping, eavesdropping, interception, telecoms fraud)?
	any unauthorised outsiders impersonated your company on the Internet (e.g. phishing attacks to persuade customers to reveal confidential data)?
	any unauthorised outsiders impersonated one of your customers with a view to fraud (identity theft)?
	any unauthorised outsiders stolen some of your computer equipment (e.g. laptops, memory chips)?

Worst single security incident in the last year Of all the security incidents you have had in the last 12 months, please recall the worst single security incident you faced.

8	What type of incident was it?
		Infection by malicious software (i.e. a virus, worm, Trojan or spyware)
		Staff misuse of the Internet or email
		Infringement of laws/regulations
		Attack on web-site or Internet gateway
		Systems failure or data corruption
		Fraud or theft using computer systems
		Theft or unauthorised disclosure of confidential data
		Physical theft of computer equipment
		Other
		Not applicable - no security incidents in the year

	Other, please specify

9	Can you please briefly describe the nature of the incident, how it arose and what its impact was?

10	Did the incident cause any downtime or interruption of normal service?  If so, how long did it take to restore business operations back to normal?
		No interruption
		Less than a day
		Between 1 day and 1 week
		Between 1 week and 1 month
		More than a month
		Don’t know
		Not applicable

11	How significant was the disruption to business operations during the incident?
		Very major (e.g. computer systems that many/most staff rely on to carry out business activities were unavailable)
		Major (e.g. access to certain computer facilities, such as Internet e-mail or web-site, was unavailable)
		Minor (e.g. some disruption to a small number of staff, no visible impact as far as outside world was concerned)
		Insignificant (e.g. business operations largely carried on as normal)
		Don’t know
		Not applicable

12	How much staff time was involved in the investigation and remediation of the incident?
		Less than one man-day
		2-10 man-days
		11-50 man-days
		51-100 man-days
		More than 100 man-days
		Don’t know
		Not applicable

13	Was there any direct financial loss (e.g. assets stolen, fines, compensation payments) associated with the incident?
		Nothing
		Less than £1,000
		£1,000-£9,999
		£10,000-£49,999
		£50,000-£99,999
		£100,000-£249,999
		£250,000 - £499,999
		More than £500,000
		Don’t know
		Not applicable

14	Was there any indirect financial loss (e.g. theft of intellectual property) associated with the incident?
		Nothing
		Less than £1,000
		£1,000-£9,999
		£10,000-£49,999
		£50,000-£99,999
		£100,000-£249,999
		£250,000 - £499,999
		More than £500,000
		Don’t know
		Not applicable

15	Roughly how much cash expenditure was required to recover the situation and remediate for the future?
		Nothing
		Less than £1,000
		£1,000-£9,999
		£10,000-£49,999
		£50,000-£99,999
		£100,000-£249,999
		£250,000 - £499,999
		More than £500,000
		Don’t know
		Not applicable

16	To what extent did the incident damage the reputation of your organisation?
		Only known about internally
		No media coverage, but some complaints from customers
		Some adverse media coverage
		Extensive adverse media coverage over a prolonged period
		Don’t know
		Not applicable

17	Taking into account all of the above, how serious overall would you say the incident was?
		Extremely serious
		Very serious
		Serious
		Not serious
		Not at all serious
		Don’t know
		Not applicable

18	Was there a contingency plan in place to deal with this type of security incident?
		Yes and it was effective
		Yes, but it was not effective
		No
		Don’t know
		Not applicable

Security management

19	Which is the most important driver for your information security expenditure?
		Preventing downtime and outages
		Protecting intellectual property
		Protecting customer information
		Protecting other assets (e.g. cash) from theft
		Maintaining data integrity
		Complying with laws/regulations
		Business continuity in a disaster situation
		Protecting the organisation’s reputation
		Enabling business opportunities
		Improving efficiency/cost reduction
		Don’t know

20	How high a priority would you say information security is to your top management or director group?
		Very high priority
		High priority
		Neither high nor low priority
		Low priority
		Not a priority at all
		Don’t know

21	Have you carried out a security risk assessment in the last year? (i.e. assessed the likelihood and impact of potential threats to your organisation)
		Yes
		No
		Don’t know

22	Has your organisation documented its information security policy?  (i.e. a formal policy outlining measures to ensure confidentiality, integrity and availability of information)
		Yes
		No
		Don’t know

23	How well do you think your staff understand your security policy?
		Very well understood
		Quite well understood
		Poorly understood
		Don’t know

24	Do you provide staff with any security awareness training?
		Yes - programme of continuing education
		Yes - on induction only
		No
		Don’t know

25	Has your organisation implemented the principles of the British Standard for Information Security Management (BS7799 or ISO 27001)?
		Yes, completely
		Yes, partially
		No, but plan to
		No, and not planned
		Don’t know

26	How has the amount that you spend on information security changed over the last year?
		Increased
		Stayed the same
		Decreased
		Don’t know

27	How much would you estimate that you spend on information security as a percentage of your total IT expenditure?
		Zero
		1% or less
		2%-5%
		6%-10%
		11% - 25%
		26%- 50%
		More than 50%
		Don’t know

28	As part of supplying services or goods to third parties (including government), with which information security standards or requirements have your customers required you to demonstrate your compliance?
		A recognised standard such as BS7799 or ISO 27001
		Government-related requirements
		Payment card industry (PCI)
		Other
		Don’t know

	Other, please specify

29	How clear is it who owns critical data within your organisation and takes responsibility for ensuring the data is protected?
		Very clear
		Quite clear
		Not clear
		Don’t know

Data loss prevention

30	Which of the following data types does your organisation ensure are encrypted? (Select all that apply)
		Laptop hard disks
		Desktop hard disks
		Wireless network transmissions (e.g. via WPA2)
		Customer transactions on your website (e.g. via SSL)
		Staff remote access to systems (e.g. via VPN)
		Data transfers to other organisations
		Data downloaded onto USB sticks or other removable media
		Smart phones/Blackberries
		Backups
		Sensitive data fields held in databases
		Data held on virtual storage (e.g. on the cloud)
		Don’t know

31	Do any of your systems use any authentication methods other than user ID and password (i.e. stronger authentication, such as two-factor or biometrics)?
		Yes
		No
		Don’t know

Software as a service

32	For which of the following types of application does your organisation use an externally hosted solution that you access across the Internet? (Select all that apply)
		Your corporate website
		Your corporate email
		Office tools (word processing, presentations, etc.)
		Payments processing
		Customer transaction processing
		Sales and/or marketing
		Finance and accounting
		Payroll processing
		Other

	Other, please specify

33	How critical are these external services to your business?
		Critical
		Important, but not critical
		Not important
		Don’t know
		Not applicable

34	How confidential is the data you store on those externally hosted systems?
		Highly confidential
		Confidential
		Not confidential
		Don’t know
		Not applicable

35	Would you say that the security over your data has improved or reduced as a result of using these external services
		Improved
		No change
		Reduced
		Don’t know
		Not applicable

36	Which of the following steps has your organisation taken to obtain comfort over the security at the external provider? (Select all that apply)
		Ensured contract included provisions for security
		Obtained rights to audit the provider’s security
		Ensured the provider is certified as ISO 27001 compliant
		Obtained a service auditor’s report (e.g. SAS 70) on the provider’s controls
		Carried out penetration testing to check the provider’s security
		Required the provider to follow your security standards
		Get reports from the provider on security breaches that might affect your data
		Have a contingency plan in case the provider ceases operation or you wish to exit

Social networking

37	Do you restrict which of your staff can have access to the Internet at work?
		Yes
		No
		Don’t know
		Not applicable

38	How important would you say access to social networking sites is to your business?
		Very important
		Quite important
		Not important
		Don’t know
		Not applicable

39	Do you block access to inappropriate websites (i.e. through blocking software)?
		Yes, including social networking sites
		Yes, but we do not block social networking sites
		No
		Don’t know
		Not applicable

40	Do you log and monitor which websites staff access?
		Yes, including logging what the user has posted
		Yes, but only logging when users accessed websites
		No
		Don’t know
		Not applicable

Future outlook

41	Do you think there will be more or less security incidents next year than last year?
		More
		Less
		Same
		Don’t know

42	Are you expecting to spend more or less on information security over the next year than you spent last year?
		More
		Less
		Same
		Don’t know

Conclusion Thank you for completing the survey. The results will be launched at the Infosecurity Europe show on 28 April 2010.

43	If you would like to enter the prize draw and receive a copy of the electronic survey report when it is launched, please provide your email address. This will be used solely for this purpose.
	Name
	Email

Please click on the submit button below to complete this survey - please only click the button once.