UK firms are suffering more cyber security incidents than their global counterparts and are falling behind in identifying breaches, a study shows.
According to the latest Global State of Information Security report by consultancy firm PricewaterhouseCoopers (PwC), 69% of UK companies experienced a security incident in the past 12 months, compared with 59% globally.
PwC polled 9,805 executives from 154 countries, including more than 475 from the UK, across all industries, for the annual report on challenges faced by companies in defending against cyber attacks.
The number of reported security incidents around the world rose 48% to 42.8 million, the equivalent of 117,339 attacks a day in 2013.
However, more than 22% of UK companies surveyed said they failed to detect any security incidents in the past year, compared with only 16% globally and 18% in Europe.
In addition, 8% of UK businesses said they do not know how many security breaches they have had in the past 12 months.
“This is worrying because if organisations believe they have not had any security incident, they are not looking or not looking correctly,” said Richard Horne, cyber security partner at PwC.
“Taken together, these stats indicate that a third of companies in the UK economy are still a bit in the dark,” he said.
On a more positive note, 55% of UK companies said they plan to spend more on security in the coming year, up from 42% a year ago.
A third of UK companies said their spending will stay the same, and the remaining 12% either plan to cut back on spend or do not know how their spending will change.
“It is encouraging to see the majority of UK firms increasing spending when globally there is set to be a reduction in security spending,” said Horne.
More on cyber security
- Protective monitoring key part of DWP cyber security
- Wider public sector needs better understanding of cyber security
- Government behind UK cyber security economy
- East Midlands gets cyber threat sharing node
- UK finance industry launches cyber security framework
- UK government launches cyber security support scheme
- Cyber risk and the UK’s Cyber Essentials Scheme
- GiveADay to link charities to vital cyber security skills
“There are several possible reasons like better board engagement with IT security professionals, and the fact UK companies are in many cases playing catch up with US spending,” he told Computer Weeky.
From working with UK companies, Horne believes security spending is generally becoming more aligned with business strategy and aimed at protecting the most important data assets.
By contrast, there is greater uncertainty overseas about security spending, with 18% of US companies saying they do not know what they plan to spend in the year ahead.
Global information security budgets decreased 4% in the past year compared with 2013, and security spending as a percentage of IT budget has remained stalled at 4% or less for the past five years.
Leadership is cited by 30% of respondents as the biggest obstacle to improving the overall effectiveness of the security function. More than a quarter of respondents do not think there is a senior executive who proactively communicates the importance of information security.
UK respondents said the top three obstacles to improving security are: insufficient capital funding, a lack of leadership from the CEO or board and the lack of an effective information strategy.
However, 42% of UK respondents said their boards are engaged with the overall security strategy, compared with 37% of those polled in the US.
“A sizeable minority of UK businesses are underestimating the scale of the problem they face,” said Horne.
“Information security incidents are a fact of life, and a critical element of defence is the ability to detect and respond to incidents quickly before they have an impact on business,” he said.
Horne said the fact that almost a third of UK businesses either have not detected a security incident or knows that they are in the dark, suggests that more attention to protecting data assets in the UK.
“The increasing spend on information security is welcome but securing digital assets has to be embedded in the DNA of all organisations. That requires leadership and a clear strategy, which again appears to be missing in nearly a third of businesses.
“It is encouraging that there is better board-level engagement with security strategy and spending, and that the UK is ahead of the US in that regard, but more needs to be done,” he said.
According to Horne, cyber attacks represent a risk that can be managed. But he said this requires continual focus, leadership and commitment.
“In the face of a continually rising tide of cyber threats, businesses cannot afford to take their eye of the ball and must strive not only to prevent breaches, but also to detect and respond to incidents rapidly when they happen,” he said.
The impact of security breaches has continued to affect business, with over a quarter of UK respondents admitting customer and employee records have been compromised.
The survey also showed that in the past year, more than 22% suffered the theft of intellectual property, and 20% suffered financial losses. In total, 70% of UK companies said they experienced some business down time as a result of security incidents, and 59% experienced up to 24 hours of down time.
Globally, the estimated reported average financial loss from cyber security incidents in the past year was $2.7M, a 34% increase over 2013.
PwC suggests that cyber insurance is one area where companies can look to protect themselves from theft or misuse of data.
According to the survey, more than half of UK companies have cyber insurance, but another 17% do not know whether they have any cyber insurance policies in place. UK companies have also been less proactive at claiming against their policies, with 34% making claims compared with 48% globally.
Despite the increasing cyber threats, most respondents still said insiders, particularly current or former employees, are a major source of security incidents.
Hackers and competitors are cited by fewer respondents as the source of outside security incidents.
“The results indicate that awareness of cyber security risk in the UK is improving,” said Grant Waterfall, cyber security partner at PwC.
“We're seeing the benefit of a number of government and private sector initiatives. Although there is still some way to go, the focus for many organisations must now shift from awareness to action,” he said.
Finally, the survey reports that UK companies have embraced initiatives to address risks from mobile security, following the trend for employees to use smartphones and tablets seamlessly between work and home.
But UK firms are still not as good at implementing controls for mobile devices as they should be in the light of the increasing trend to allow employees to use their own devices for work.
More than 56% said they have mobile security strategies, but 18% admitted they do not have any controls.
With the relatively high levels of board engagement, Horne said some UK companies are making reasonable progress in managing cyber risk.
“This needs to be elevated to the level of being truly managed as an enterprise risk rather than something that is left to the IT department alone to worry about.
“Companies need to ensure that as part of managing cyber threats as an enterprise risk, they are actively monitoring and reporting the incidents that are taking place and how they respond to them,” he said.