The obvious conclusion that leaps from the pages of statistics that comprise PwC's Information Security Breaches Survey, 2012 is that things just aren't getting any better. Certainly, some companies feel safer and most are spending more, but the bottom line is that 93 percent of large organizations, and 76 percent of small organizations have suffered a security breach during the last year.
The survey was conducted by Infosecurity Europe, analysed by PcW, and supported by the department for Business, Innovation and Skills. It shows that British business is more than ever under attack from cybercriminals from without, and from naive and sometimes malicious staff from within.
To put this in perspective, the median number of 'significant' attacks by an unauthorised outsider on each of the larger companies that took part in the survey was 54 - that's more than one every week, and more than twice the number experienced in 2010 (the year of the last survey). Fifteen percent of the larger companies detected at least one successful intrusion during the year - and given the expertise with which intruders can now conceal themselves, this is likely to be a very conservative figure.
But the threat isn't just from ousiders. Figures also show that 45 percent of companies admitted to breaching data protection laws during the year; and ten companies admitted to doing so at least once every day. This is usually down to carelessness; either in the formulation and enforcement of policy, or simple failure of staff to adhere to policy.
It's not always carelessness. Nearly one-in-five companies have also suffered from their own staff carrying out computer fraud. Overall, says PwC, security problems stem from multiple failings in people, processes and technology.
The problem is that the traditional argument for investment, the return on that investment (RoI), does not exist for security. “If security is doing its job it goes unnoticed and it’s hard to measure the business benefits," comments Chris Potter, PwC information security partner, "so investment in security often ends up losing out against other competing business priorities." It tends to be only the failures that are noticed, and it's only after the event that "most organisations take a lot of action... to tighten up their security," said Potter. But, "The cost of dealing with breaches and the knee-jerk responses afterwards usually outweigh the cost of prevention," he added.
This failure to invest shows in both technology and people. Twenty percent of large organizations spend less than one percent of their IT budget on security. Where staff are concerned, only 26 percent of companies with a security policy actually believe it is well understood by their staff; and 54 percent of small companies have no security awareness and training programme at all.
The end result is that "the cost to UK plc of security breaches is running into billions every year," said Potter. "These numbers are startling and make uncomfortable reading for business leaders."
| See Infosecurity magazine interview Chris Potter at from the show floor at Infosecurity Europe 2012 |