UK firms are suffering a record number of security breaches, costing billions of pounds a year, a survey of more than 400 businesses shows.
"We have been doing the survey since the early 1990s, which gives us really good trend data to be able to identify patterns," Chris Potter, PricewaterhouseCoopers (PwC) information security partner told attendees of Infosec Europe 2012 in London.
In the past year, one in seven large organisations detected hackers within their systems, according to PwC's 2012 Information Security Breaches Survey, which was released at the event.
This is the highest level recorded, said the survey which was completed in conjunction with Infosecurity Europe and supported by the Department for Business, Innovation and Skills.
Some 70% of large organisations detected significant attempts to break into their networks in
the past year, which is another record high.
Each large organisation suffered an average of 54 significant attacks, double the number in 2010, and 15% had their networks successfully penetrated by hackers.
The average cost of the worst security breach for large organisations was between £110,000 and £250,000, while for small businesses the cost ranged from £15,000 to £30,000.
Potter said considering that most businesses share data with their business partners across the
supply chain, these numbers are startling and make uncomfortable reading for business
The Universities and Science Minister David Willetts, whose responsibilities include cyber security issues, said the survey results are a timely reminder for UK businesses to make sure their information systems are protected so they can take full advantage of the online world.
"The survey demonstrates why the Government is right to be investing £650m to improve cyber security and make the UK one of the safest places to do business in cyberspace," he said.
Some 93% of respondents from large organisations and 76% from small businesses reported a security breach in the past year.
The survey showed an increase in the number of outsider attacks, especially against large organisations.
Download the 2012 survey results
On average, large organisations faced one attack a week, compared with one a month for small businesses.
“Large organisations are more visible to attackers, which increases the likelihood of an attack on their IT systems," said Potter.
Large organisations also have more staff and more staff-related breaches, he said, which may explain why small businesses report fewer breaches than larger ones.
All sectors reported attackers on the Internet trying to impersonate them; financial services and government bodies were hit most, often reporting “phishing” attacks several times a day.
Customer impersonation and identity fraud remain high, up threefold from 2008, with all sectors affected. However, financial services companies have now overtaken retail.
Criminals currently appear to find it easiest to make money by impersonating the customers of banks, the survey report said.
One in eleven respondents reported that an outsider had stolen confidential data, with financial
services and utilities providers the worst affected.
In the past year, 45% of large organisations breached UK data protection laws, only 18% of organisations that breached data protection laws had an effective contingency in place, 20% of small businesses lost confidential data, and 19% of large organisations were hit by employee computer fraud.
The root cause, the survey report said, was often the failure to invest in educating staff about security risks, with 75% of organisations where the security policy was poorly understood experiencing staff-related breaches.
Despite the prolonged economic slowdown, most organisations have spent more on security this year than in the year before.
On average, organisations spend 8% of their IT budget on information security, but those that suffered a very serious breach spent only 6.5% of their IT budget on security.
The survey report said there was some evidence of complacency setting in among large organisations, with 20% of respondents saying their organisation spent less than 1% of the IT budget on information security.
A root cause, the report said, is that it is hard to measure the business benefits from spending money on security defences. Only 20% of large organisations evaluate return on investment in security.
"The key challenge is to evaluate and communicate the business benefits from investing in security controls. Otherwise, organisations end up paying more overall," said Potter.
The cost of dealing with breaches and the knee-jerk responses afterwards, usually outweigh the
cost of prevention, he said.
“If security is doing its job it goes unnoticed and it’s hard to measure the business benefits, so investment in security often ends up losing out against other competing business priorities," said Potter.
The challenge for a business of any size, he said, is to make sure the money spent on security is well targeted. "Evaluating the effectiveness of your security expenditure is vital if you are to stay ahead of the emerging threats," he said.
See other findings of the survey.