Smaller firms are increasingly bearing the brunt of cyberattacks, according to a survey commissioned by the Department of Business, Innovation and Skills and carried out by PwC, the consulting firm.
Speaking to Infosecurity Europe via a video link, David Willetts, Minister of State for Universities and Science, said that 87% of small and medium enterprises (SMEs) had suffered a security breach, up from 76% in 2012.
The number of external attackers breaking into smaller businesses has doubled, to 14%, while 9% of SMEs discovered that intruders had stolen sensitive information or intellectual property, up from 4% last year.
Looking at the survey results in more detail, Andrew Miller, head of government information services at PwC, said that the level of attacks against larger businesses had remained relatively constant, whilst those against smaller companies had risen sharply.
In both cases, though, the financial cost of a security breach – measured in terms of actual financial loss, regulatory fines, reputational damage and the time taken to fix the problems – had also increased. Large organizations reported that the cost of their largest security breach of the year came to between £450,000 and £850,000. Smaller firms put their costs at between £35,000 and £85,000. For large organizations, the cost of security breaches has quadrupled.
But businesses also reported that, although they have maintained, and in many cases increased, information security spending they were unsure whether that additional spending had bought an improvement. Few organizations – just 12% – now try to work out the return on investment for security spending.
According to PwC, one reason for this is a lack of skills, and a shortage of skilled staff, to implement improved security measures.
Almost all organizations surveyed reported that they had taken remedial action after a breach, but again the lack of expertise may be reducing its effectiveness. This is supported by the finding that, once an organisation had suffered a security breach, it is far more likely to fall victim again.
"We are seeing companies spend more money: [security] budgets are up across the board," said Miller. "But the evidence suggests that although there is more budget and board attention there are not the skills." This is causing businesses problems when it comes to implementing an improved security strategy.
PwC did find, though, that measures including staff training, and social media monitoring, are effective. As many as 10% of companies carry out no information security training at all, and a significant minority – 42% – have no ongoing security awareness education.
Some measures, though, are working. Chris Potter, partner in PwC's OneSecurity practice, pointed out that the Government's recently issued 10 Step Guide to Cybersecurity is helping organizations to ensure that they have at least the basic security measures in place. "It is a good starting point for businesses of any size," he said.
The Government, for its part, plans to continue to act to improve the skills pipeline, according to David Willets, as well as provide more guidance to business.
"We will signpost companies to what good looks like," he said. "Business wants clearer indications around security standards."