The burden of security incidents in the UK is falling on small- to medium-sized enterprises (SMEs) according to the latest government-sponsored survey of information security breaches in the UK.
The survey, which was conducted by a consortium led by PricewaterhouseCoopers, found that three-quarters of UK businesses rate security as a high or very high priority for their senior management or
board of directors.
This priority given to security has translated into action. UK companies are spending more on information security controls than ever, on average 4% to 5% of their IT budget, up from 3% in 2004 and 2% in 2002. The increased expenditure is leading to better adoption of security controls – for example, three times as many companies have a security policy as did six years ago, and 98% of businesses have anti-virus software in place.
Fewer companies had security incidents than in 2004 when the survey was last undertaken: overall, 62% of businesses have had a security incident in the past year, down from 74% two years ago. However, the burden of security incidents is falling on SMEs, where security controls tend to be less well developed.
The average number of incidents suffered has risen by 50% to roughly eight a year. The average cost (principally business disruption cost rather than cash losses) of a UK company's worst security incident was approximately £12,000 – up from £10,000 two years ago. Overall, an indicative estimate of the total cost of security breaches to UK companies is up by 50% from two years ago, and is around £10 billion per annum.