PwC: Rising security breaches cost UK billions in the last year
Written by staff reporter
The overall cost of security breaches to business is now billions of pounds a year, a new survey shows. According to the Information Security Breaches Survey by PwC survey, carried out in conjunction with Infosecurity Europe, in the last year, one in seven large organisations has detected hackers within their systems – the highest level ever recorded since the survey started in the early 1990s. Furthermore, 70% of large organisations have detected significant attempts to break into their networks in the last year.
On average, each large organisation suffered 54 significant attacks by an unauthorised outsider, twice the level in 2010, while 15% of large organisations had their networks successfully penetrated by hackers. The average cost of a large organisation’s worst security breach of the year is £110k-£250k and £15k-£30k for a small business.
Commenting on research, Universities and Science Minister David Willetts, whose responsibilities include cyber security issues, said: "The internet has opened up huge opportunities for businesses, and the UK is a world leader in doing business online. This survey showing the changing nature of the threats in cyberspace is a timely reminder for UK businesses to make sure their information systems are protected so they can take full advantage of the online world.
"The survey demonstrates why the government is right to be investing £650m to improve cyber security and make the UK one of the safest places to do business in cyberspace. We will use the findings to help design a new annual survey of cyber security breaches beginning next year."
“The UK is under relentless cyber attack and hacking is a rising risk to businesses. The number of security breaches large organisations are experiencing has rocketed and as a result, the cost to UK plc of security breaches is running into billions every year,” added Chris Potter, PwC information security partner. “Since most businesses now share data with their business partners across the supply chain, these numbers are startling and make uncomfortable reading for business leaders.
“Large organisations are more visible to attackers, which increases the likelihood of an attack on their IT systems. They also have more staff and more staff-related breaches which may explain why small businesses report fewer breaches than larger ones. However, it is also true that small businesses tend to have less mature controls, and so may not detect the more sophisticated attacks.”
Besides hacking, the survey shows that organisations are experiencing many data protection breaches, data loss events and computer frauds, particularly those that haven’t invested in staff education. The vast majority of respondents had a security breach in the last year: 93% of large organisations and 76% of small businesses. The most serious breaches result from failings in a combination of people, process and technology, showing the importance of investing in all three aspects.
Outsider attacks have increased, especially against large organisations. There is a marked contrast in the average number of breaches suffered by small and large organisations affected. On average a large organisations now faces one attack per week while for small businesses it is one a month and hacking attacks make up the largest single component.
Despite the prolonged economic slowdown, most organisations have spent more on security this year than in the previous one. On average, organisations spend 8% of their IT budget on information security, and those that suffered a very serious breach were found to spend on average 6.5% of their IT budget on security. There’s some evidence of complacency setting in among large organisations. Some 12% of businesses say senior management give a low priority to security, while 20% spend less than 1% of their IT budget on information security. A root cause is that it is hard to measure the business benefits from spending money on security defences. Only 20% of large organisations evaluate return on investment on their security expenditure.
“Organisations that suffered a very serious breach during the year spent slightly below the overall average on security. The key challenge is to evaluate and communicate the business benefits from investing in security controls. Otherwise, organisations end up paying more overall. Given that most organisations take a lot of action after a breach to tighten up their security, scrimping a saving on security creates a false economy. The cost of dealing with breaches and the knee-jerk responses afterwards usually outweigh the cost of prevention,” Potter added.