Businesses are under attack on a daily basis and the problem is getting worse. That, in essence, is the conclusion of PWC’s annual Information Security Breaches Survey. The average cost of the most severe online security breaches for large businesses now starts at £1.46 million – up from £600,000 in 2014. For SMEs, the most severe breaches can now cost as high as £310,800, up from £115,000 in 2014. Yet, despite this, most organisations do not plan on spending more on information security over the coming year.
Key findings from the survey
The Information Security Breaches Survey is commissioned annually by the government and conducted by PWC. It is intended to provide an overview of information security trends and raise awareness amongst UK business of the risks of cybercrime. Some of the key findings from the 2015 survey are as follows:-
- The number of security breaches has increased, the scale and cost has nearly doubled.
- Nearly 9 out of 10 large organisations surveyed now suffer some form of security breach.
- Despite the increase in staff awareness training, people are as likely to cause a breach as viruses and other types of malicious software.
- The trend in outsourcing certain security functions and the use of ‘Cloud computing and storage’ continue to rise.
As noted above, there has been a noticeable increase in staff-related information security breaches. Three-quarters of large organisations suffered a staff-related breach (up from 58% the previous year) and nearly one-third of small organisations had a similar occurrence (up from 22% the previous year). Indeed, when questioned about the single worst breach suffered, half of all businesses attributed the cause to human error (up from 31% the previous year).
What are businesses doing?
In some respects, businesses are attempting to address their information security problems. For example, more organisations are providing staff training to reduce human error-related breaches. 72% of large organisations and 63% of SMEs now have continuing awareness and education programmes.
Notwithstanding the above, most businesses do not plan to spend more on information security over the next year. Only 7% of SMEs expected information security expenditure to increase in the coming year, down from the previous year’s 42%. Moreover, spending on security measures may be poorly targeted on, for instance, relatively ineffective technical controls.
Although currently not mandatory, businesses are reluctant to report information security breaches to the relevant government agencies and authorities. For example, of those surveyed, only 19% of organisations had reported security incidents to a government agency (including the Information Commissioner’s Office). Clearly, without adequate information, it is difficult for the government to estimate the scale and types of crime being committed. With reference to the single worst data breach, 14% of all respondents were unaware of the relevant legal regulations or what action to take in the event of a breach.
For large and small business alike, information security breaches are now a near certainty. Organisations need to take this threat seriously. Investment in staff training is key in this regard.