British businesses have been hit by a surge of information security breaches over the last two years that could be costing the country several billions of pounds a year.
The latest edition of the Information Security Breaches Survey (ISBS) from PriceWaterhouseCoopers LLP (PwC) reveals that data security breaches, involving both outside hackers and company insiders, increased to unprecedented levels since the last report.
PwC produces the Information Security Breaches Survey every two years and it is widely considered a valuable snapshot of the state of U.K. information security. In recent years, each report has shown a gradual improvement as companies began to implement good basic security controls. But the latest report shows a complete reversal, caused by increased cybercrime activity and a rise in fraud during the recession.
"Information security does not happen in a vacuum. It is the tail of the dog which is the business environment," said Chris Potter, joint author of the report and a partner at PwC. "Overall, the prospect is very gloomy."
The 2010 Information Security Breaches Survey shows that technology has continued to evolve rapidly through greater use of cloud computing, virtualisation and social networks. Organisations in both the public and private sectors have done more work to understand the risks they face, with 82% of large ones and 75% of smaller ones assessing information security risks now, compared to 48% who did so in 2008.
Nearly half the organisations polled said they had increased their expenditure on information security in the previous year and roughly the same number said they expected to spend more on it next year.
Overall, the prospect is very gloomy.
Chris Potter of PricewaterhouseCoopers, describing the state of U.K. security as outlined in the 2010 ISBS report,
But this extra focus and expenditure has failed to prevent the number of information security breaches from more than doubling in two years, the report reveals. "All types of breaches were on the increase and a conservative estimate is that the total cost of data breaches to U.K. business in billions of pounds is now well into double figures," said Potter. In the 2008 Information Security Breaches Report, 35% of companies said they had suffered a malicious breach in the previous year, but in 2010, the figure has risen to 90% for large organisations (more than 250 employees) and 75% of smaller companies with fewer than 25 staff.
Smaller companies had suffered on average 11 breaches during the previous year (up from six in 2008), while large organisations had 45 breaches (up from 15 in 2008). The cost of a data security breach also increased, with smaller companies saying their worst incident on average had cost them £55,000, compared to £20,000 in 2008; for larger companies the average worst event cost was £690,000, compared to £170,000 in 2008.
To make matters worse, these companies do not expect things to get better: 56% of large organisations predicted the number of incidents would grow next year, and 43% of small companies were equally pessimistic.
Other data breach findings for larger organisations included:
- 62% were infected by a virus or malicious software in the last year (21% in 2008).
- 61% have detected a significant attempt to break into their networks (31%).
- 15% have detected actual penetration by an unauthorised outsider into their networks in the last year (13%).
- 25% have suffered a denial-of-service (DoS) attack (11%).
- 46% said staff had lost or leaked confidential data.
- 45% of confidentiality breaches were very or extremely serious.
The Information Security Breaches Survey 2010 was based on online responses from 539 organisations collected during the month of February. Previous reports received sponsorship from the Department of Trade and Industry (later known as Business, Enterprise, and Regulatory Reform or BERR) and were based on more than 1,000 telephone interviews with a carefully selected cross-section of companies.
Andrew Beard, the report's co-author, said that with the departmental changes that saw BERR become the Department for Business, Innovation and Skills (BIS) last year, sponsorship had not been forthcoming this time, meaning the research had to be somewhat scaled back, and relied on the online survey rather than telephone interviews. He said the 2010 report showed a greater representation of large companies, but smaller companies were not as well covered, and therefore the findings relating to smaller firms could be less accurate than in previous years.