Maksim Kabakou - Fotolia

UK firms say £6.6bn annual security testing cost too high

Avord launches platform to reduce the multibillion-pound annual cyber security testing cost that most UK firms say is too high

Businesses across the UK have criticised the security testing industry for being too expensive, costing industry more than £6.6bn a year, according to a report.

The report is based on a market snapshot survey of 400 UK businesses of various sizes across the healthcare, energy, finance, retail and manufacturing industry sectors.

Some 77% of businesses polled by security testing platform provider Avord said the cost of testing is too expensive, with the security testing market dominated by consultancies that provide services to businesses at up to twice the daily rate of independent testers.

The need to use external consultants is driven by the fact that only one in five UK businesses with more than 750 employees have sufficient in-house skills and knowledge to carry out security testing.

The figure falls to just 1% among small to medium-sized enterprises (SMEs), with businesses almost exclusively (95%) outsourcing the testing of security controls for critical assets.

The survey shows that three in four businesses are currently initiating security testing to comply with organisational operating practices and standards, such as ISO27001, ITIL, the Information Security Forum’s (ISF’s) Standard of Good Practice for Information Security and public sector guidelines.

However, most firms taking part in the study said determining the risks associated with a sensitive data breach (72%) and cost (72%) were major challenges when it came to conducting tests.

The complexities and lack of security testing knowledge were also cited as key issues, with seven in 10 citing “identifying when in the development process to test” and “what kind of testing was required” as further challenges.

As a result, more than three-quarters of businesses (82%) are now outsourcing security testing on their critical assets at considerable expense.

The study shows that a third of UK businesses have been hit by an online security breach in the past 12 months, with a quarter saying that the breach has had a direct impact on their bottom lines, lost them customers and damaged their brand reputations.

Out of those hit by a cyber attack, 95% reported that the breach occurred partly or totally as a result of issues with the security testing process.

In the past five years, the majority of companies indicated that they have seen a major increase in the number of data breaches. A quarter reported an increase of between 10% and 20%, one in 10 reported an increase of between 30% and 40%, while more than a half reported an increase in data breaches of up to 10%.

Cost-cutting security platform

In an attempt to make security testing more affordable and thereby reduce overall cyber risk in UK firms, Avord has announced the launch of a security testing platform that the company claims will cut the costs of security testing by 30% to 40%, as well as make it simpler and more accessible.

Brian Harrison, founder and CEO of Avord, said companies are struggling to cope with the ever-increasing threats affecting their attempts to secure systems at current costs.

“Unless something changes, businesses will be forced to cut corners and this will inevitably mean there are more data breaches and system outages,” said Harrison.

“Avord has been designed to disrupt the current security testing model by cutting out the costly ‘middle-man’ consultancies and allowing businesses to directly manage and engage security testers. This means that whereas industry currently pays up to £1,100 per day for cyber security testing, that cost will be reduced to approximately £600, collectively saving UK businesses around £3bn annually.”

The whole point of the platform is to be disruptive, to bring clients and testers together and to remove the middle man in the form of consultancies, said Avord’s chief operating officer, Howard Pritchard.

“The testers will be working directly with the clients, and the clients will be able to agree a scope and standard as well as what the tests are and what they need to do, rather than working through a third party,” he told Computer Weekly.

The free online platform is designed to link a wide variety of qualified security testers with businesses, reducing costs by eliminating consultancy fees.

For companies, the platform provides automated scheduling and tracking of security tests to deliver an instant view of all tests across an IT estate through a risk and reporting dashboard.

“Every kind of security testing is available on the platform. Clients simply need to choose the type of testing they require – be it general testing, application testing or any other kind of testing. There is also an option for a security review of their IT environment or ‘health check’, if that is all they require,” said Pritchard.

The platform allows security testers to sign up for free, enabling them to stay independent and charge their normal day rates. The platform provides a means to receive contract offers from clients around the world, as well as a payment process designed to ensure payment on time and enable automated tracking when the work is completed.

The platform is free to use for clients and testers. While testers will receive their full fee without any admin fee being levied, Avord’s business model is based on charging an admin fee of up to 10% to clients who benefit from the service.

Avord plans another market survey in six to 12 months to see how things have changed. “We would like to see that Avord has been able to reduce the proportion of vulnerabilities and misunderstanding around the scope of testing and how to determine the level of cyber risk a company is facing,” said Pritchard.

Read more about security testing

Read more on IT risk management

Data Center
Data Management