Almost three-quarters of small UK businesses, and 90% of large organizations, have experienced a security breach, roughly a 10% increase for both compared with the same time last year. This is one of the key findings from the 2015 Information Security Breaches Survey, commissioned by HM Government, conducted by PwC, and launched this morning on the keynote stage at Infosecurity Europe.
And not only are more companies feeling the pain of breaches but the average costs associated with security incidents are also rising sharply.
The survey – which canvassed 664 IT pros and senior business leaders across a wide array of sectors – asked respondents to put a monetary cost on their worst security breach of the year.
For a large organization this price has more than doubled since the 2014 survey, now ranging between £1.46m and £3.1m pounds, up from £600k to £1.15m a year ago. The average cost to small businesses, meanwhile, ranges from £75k to £311k, up from £65k to 115k last year.
Speaking at Infosecurity Europe, a team of experts from PwC explained that the nature and type of threats that organizations now face have changed. While malicious software was once the highest concern for companies, it is now data leaks and attacks from unauthorized outsiders that should be keeping company execs up at night. Almost 70% of large UK organizations were attacked by unauthorized outsiders last year, up from 55%.
Meanwhile, also worrying is the increase in reported security incidents related to staff misdemeanors, whether accidental or not. Three-quarters of large organizations experienced incidents of this kind in the last year, up from 58%. Around half of all respondents’ worst breaches of the year were down to inadvertent human error.
Richard Horne, PwC cybersecurity partner, explained that this includes things like phishing emails or an employee sending sensitive information to the incorrect recipient.
Faced with this alarming development, Giles Smith from BIS, which worked closely with PwC on the survey, explained that, “There are signs that industry is starting to respond to this more positively with more organizations large and small providing ongoing security training to their employees.”
Indeed, this is borne out in the data, which found that around three-quarters of large, and two-thirds of small businesses, now provide ongoing security awareness training to staff, an increase from last year in both cases.
Summarizing in the face of report’s findings, Smith said, “It’s fair to say that it’s a pretty mixed picture. While it’s disappointing to see the scale and cost of breaches has increased, there are positives too. The UK has made considerable progress in the last five years on its agenda, putting in place the guidance and schemes it needs.”
Specifically, Smith referenced the government Cyber Essentials initiative and recently-renewed 10 Steps to Cyber Security as influential in driving businesses to focus more closely and effectively on cybersecurity.
Horne commented: “A breach is pretty much inevitable for an organization in the UK in today’s world. Dealing with breaches is now a fact of life.”
He added: “People are starting to realize that cybersecurity is not about fixing technology; it’s about fixing the way we use technology.”