The number of UK data breaches and victims has gone down in the past year, but the cost of the most serious incidents has risen significantly, a government-sponsored report shows.
The average cost of the worst breach for large organisations is £600,000 to £1.15m, up from £450,000 to £850,000 a year ago, according to the 2014 Information Security Breaches Survey.
The report, launched at Infosecurity Europe 2014 in London, was conducted by PricewaterhouseCoopers (PwC) and sponsored by the Department for Business Innovation and Skills.
The cost of data breaches for smaller businesses with fewer than 250 employees has roughly doubled to between £65,000 and £115,000, up from £35,000 to £65,000 a year ago.
This is despite a slight decrease in the number of organisations being hit, down to 81% of large organisations from 86% a year ago and 60% of small businesses, down from 64% a year ago.
The median number of breaches suffered by large organisations fell to 16 from 21 a year ago, while the number decreased to six for smaller businesses, down from 10 the year before.
Despite these dips, 55% of about 1,100 respondents said they expect more security incidents in the coming year.
Science minister David Willetts said: “Although there are some positive and encouraging signs, the fact that the cost of the worst breaches has increased so much indicates there is still work to do.
“This report is a reminder of the economic cost of cyber breaches, and the UK government takes this very seriously.”
For this reason, the government committed £860m to its cyber security programme for the five years to 2016, said Willetts.
Threats outside and in
The study found that attacks from outsiders continue to cause the most security breaches, and malicious software is increasingly the means used for such attacks.
But the focus seems to have shifted back towards large organisations, with 55% reporting attacks by an unauthorised outsider, compared with 33% of smaller organisations.
The 2014 Information Security Breaches report is a reminder of the economic cost of cyber breaches
David Willetts, science minister
Nearly three-quarters of large organisations suffered from infection by malicious software, compared with 45% of smaller organisations.
More than one-third of large organisations were the target of denial-of-service (DoS) attacks, while only 16% of smaller organisations suffered such attacks.
Nearly one-quarter of large organisations detected that outsiders had successfully penetrated their network, compared with 12% of smaller organisations.
Although 16% of large organisations reported that outsiders had stolen intellectual property or confidential data, only 4% reported the loss of such data.
The study found that staff-related breaches had dropped significantly compared with a year ago, but staff continue to play a key role in security breaches.
While 58% of large organisations reported staff-related breaches, down from 73% the year before, only 22% of smaller organisations reported staff-related breaches, down from 41%.
However, 31% of the worst security breaches in the past year were caused by inadvertent human error and 20% by deliberate misuse of systems by staff.
Chris Potter, IT risk assurance partner at PwC, said: “This means just over half of the worst breaches involved members of staff.”
Security awareness improving
On a positive note, the study found most organisations continue to prioritise security, with a fall in the number of worst breaches caused by insufficient priority.
“This highlights an increased awareness of security at executive level,” said Potter.
More on managing security
- Cloud-based application security: Preventing security breaches
- Target data breach: Why UK business needs to pay attention
- Insider threat prevention controls to thwart data breach incidents
- CW500 Security: Adrian Davis, incoming managing director of (ISC)2
- As threats mount, CISOs must rethink information security programs
- CW500 Security Club: The next threat landscape - what to expect
The study found that 79% of senior managers place a high or very high priority on security and only 7% of the worst breaches were tied to senior management giving insufficient priority to security.
Security budgets are beginning to reflect this high priority, with a marked increase in spending on information security by smaller businesses, with 15% spending more than 25% of their overall IT budget on security, compared with just 10% of large organisations.
But Potter noted that in the past year, the worst breaches took place at organisations that had implemented anti-virus systems, which were all up to date.
Many businesses are becoming more aware of the importance of education on security, with more organisations explaining their security risks to staff to ensure they take the right actions to protect information.
The study found 68% of large organisations and 54% of smaller organisations provide ongoing security awareness training to staff, up from 58% and 48%, respectively, a year ago.
But this is not true for all, the report said, with nearly a quarter of organisations failing to brief their board on security risks in the past year and 13% reporting they have never done so.
In 70% of companies where security policy was poorly understood, there were staff-related breaches, compared with just 41% where policy was well understood.
Risk management skills
The study found there have been improvements in risk assessment and security skills, but many organisations still struggle to evaluate the effectiveness of their security activities.
One in five respondents said they had not carried out any form of risk assessment, down from 23% the year before.
About 70% of organisations are keeping their worst security incidents under wraps, so what makes the news is just a small proportion of the breaches that are actually taking place
Another positive note, however, was that 59% said they are confident they will have sufficient security skills to manage their risks in the coming year, up from 53% last year.
But one-third of respondents said they do not evaluate how effective security expenditure is, up from 31% the year before.
The use of technology remains a key part of businesses’ daily working, so it is vital to ensure a flexible approach to security, the report said.
The study found that 12% of large organisations had a security or data breach in the past year relating to social networking sites, while 7% had a breach involving smartphones or tablets.
Cloud computing services were linked with breaches experienced by 5% of respondents and 10% of the worst breaches were due to portable media bypassing defences, up from 4% a year ago.
As organisations improve their understanding of the security threats they face, they are doing more to manage associated risks and are seeking new ways to gain assurance over security, the report said.
The study found that 52% of large organisations and 35% of smaller organisations have insurance to cover them in the event of a breach, while 69% of respondents invest in, or plan to invest in, threat intelligence.
Finally, among the headline findings of the study, it emerged that the data breaches that reach the public domain and are reported in the media account for only about 30% of all breaches.
The study found that about 70% of organisations are keeping their worst security incidents under wraps, so what makes the news is just a small proportion of the breaches that are actually taking place.