Cyber security breaches continue to cause UK organisations a pounding headache. Nine in ten (90%) large organisations and 74% of small organisations are affected, recent research by PwC finds. The average cost has also been increasing year on year, with the costs to large organisations ranging from just under £1.5 million to £3.14 million, while for small organisations the range starts at £75,200 and goes up to around £310,800.
In a recent report, titled ‘2015 Information security breaches survey’, commissioned by the HM Government and conducted by PwC (assisted by Infosecurity Europe), the consulting firm explores the current state of cyber security in the UK. The survey is of 664 respondents, of which 49% are of large organisations – with more than 500 employees, while the rest are from small organisations – of which 20% have less than 10 employees.
The report found that this year, like those before them, the number of security breaches has increased on the year previous. Nine out of ten (90%) large organisation had a breach last year compared to 81% the year before, while small organisations saw a 14% increase in those responding that they had been breached to 74%.
Although the number of organisations attacked has been on the increase, the type of attacks has not changed greatly for large organisations, which saw the only number of malicious incidents drop slightly. Small organisations, however, saw a shift from serious incidents (down by 25%) to malicious incidents (up with 15%).
The types of breaches have also been changing, with malicious actors looking more and more toward infecting targets with viruses or malicious software. Of the larger organisations affected, 84% had to deal with such infections, up from 59% in 2013, compared to 63% of small organisations, up from 41% in 2013. Attacks from unauthorised outsiders were also up on last year’s report, from 58% to 70%. For small organisations theft or fraud involving a computer has been dropping significantly in recent years, down to 6% from 16% in 2013.
Security incidents are very costly for organisations. The report highlights that the costs for the worst incident for large organisations range from just under £1.5 million (£1,455,000) to £3.14 million. For small organisations, the range starts at £75,200 to £310,800. These figures are up considerably on the year before, when for small businesses the average cost for the worst incident stood at £65,200 to £115,000 and for large organisations between £600,000 and £1,150,000.
The biggest threat to both kinds of business is disruption to business, which over a period of 2 – 12 days costs small organisations between £40,000 and £225,000 and large organisations between £800,000 and £2,100,000. Lost business hits smaller organisations harder than big ones, with small organisations losing between £25,000 and £45,000 while large organisations lose between £120,000 and £170,000.
Organisations are aware of the considerable damage that can be caused by the loss of sensitive information. Just over a third (34%) notes that the main driver for security expenditure is to protect their customers’ information, followed by 21% looking to protect their organisation’s reputation. Interestingly, only 1% cites cost reduction as a reason to spend money on security.
In a bid to improve the long term security, in response to the most serious breach, 50% of large organisations improved the training of their staff. Almost the same percentage (47%) changed the configuration of their current system, 39% changed their security policies and 32% formalised a post incident review.
Commenting on the results, Andrew Miller, Cyber Security Director at PwC, says: “With nine out of ten respondents reporting a cyber-breach in the past year, every organisation needs to be considering how they defend and deal with the cyber threats they face. Breaches are becoming increasingly sophisticated, often involving internal staff to amplify their effect, and the impacts we are seeing are increasingly long-lasting and costly to deal with.”