A new wave of security breaches is costing UK businesses billions of pounds, according to a survey of security...
professionals in more than 500 organisations by PricewaterhouseCoopers (PwC).
Chris Potter, partner, OneSecurity, PwC, told delegates at Infosecurity Europe in London that threat levels were the highest ever.
The threat environment was surprisingly bad and looked quite serious, he said.
This was despite the fact that security remained high on management's agenda and the recession had not dampened spending on security.
Public- and private-sector organisations appeared to have a greater understanding of security risks, but the survey revealed that most were ill-prepared to deal with them, he said.
New vulnerabilities were being exploited as businesses rapidly adopted emerging technologies such as virtualisation, social networking and cloud computing.
Series of threats
Potter said a series of threats was arising as new technologies were adopted, but people had to adapt to such changes and there was always a time lag.
Almost half the organisations polled said they had increased their expenditure on information security in the past year and about the same number expected to spend more on it next year.
Most organisations (82% of large ones and 75% of smaller ones) said they now assessed information security risks, compared with just 48% in 2008.
Potter said organisations were getting better at understanding security risks in a changing business environment where most of them relied increasingly on external services hosted over the internet.
Some 90% of large organisations said they had a formally documented security policy, up from 88% in 2008; 68% had partially or fully implemented ISO 27001, up from 65%; and 52% of large organisations gave staff ongoing education, up from 26%. But this was not translating into fewer breaches of security, said Potter.
The number of breaches had more than doubled in two years and had reached record levels for all sizes of organisation, he said.
All types of security breach were increasing, the survey found.
At a conservative estimate, the total cost of breaches to UK business in billions of pounds was well into double figures, said Potter.
The survey revealed a dramatic reversal of the trend of decline in security breaches when compared with a similar PwC survey in 2008.
Then, only 35% of those polled reported malicious security breaches in the previous year. In the latest survey, this figure was 92% for large organisations of more than 250 employees and 74% for small ones of up to 25 employees.
The average number of breaches and cost are also up on two years ago, with smaller businesses averaging 11 breaches compared with six in 2008 and their worst incident of the year costing up to £55,000 on average, compared with £20,000 in 2008.
Larger businesses averaged 45 breaches, compared with 15 in 2008, and the worst incident cost up to £690,000 on average, compared with £170,000 in 2008.
Most respondents were pessimistic about the future, with 56% of large organisations and 43% of smaller ones expecting more incidents in 2011.
Andrew Beard, director, OneSecurity, PwC, said part of the solution to ensure better security was to encrypt data, and there had been huge improvements in this area.
But educating people was just as important and more companies than ever now had a security policy, although only 19% of respondents from large organisations thought their policy was well understood by staff, he said.
The root cause of this was that investment in security awareness training, although on the increase, was still often inadequate, said Beard.
The survey showed 32% of large and small organisations relied on one-off security awareness training at induction.
Protecting customer information remained the strongest driver for security expenditure, but more and more serious confidentiality breaches were being reported.
Among large organisations, 46% said staff had lost or leaked confidential data, and 45% of confidentiality breaches were very or extremely serious, compared with just 15% for other breaches.
Many businesses were still failing to make staff the first line of defence, said Beard.