The average cost of the worst breaches at large UK organisations is between £1.4m and £3.14m, according to the government’s 2015 information security breaches survey conducted by PwC.
This represents an increase of 233% to 273% from a year ago, while the cost of breaches for small businesses is between £75,000 and £311,000, up by between 115% and 270% from 2014.
There has also been an increase in the number of organisations being breached, according to the report released at Infosecurity Europe 2015 in London.
Some 90% of large organisations reported breaches, up from 81% a year ago, while 74% of small organisations said they had been breached, up from 60% in 2014.
The majority of UK businesses polled expect that breaches will continue to increase in the coming year. The survey showed 59% of respondents expect to see more security incidents.
While all sizes of organisations continue to experience external attacks, there appears to have been a slow change in the character of these attacks, the survey revealed.
Large and small organisations appear to be subject to greater targeting by outsiders, with malicious software impacting nearly 75% of large organisations and 60% of small organisations.
There was, however, a marked increase in small organisations suffering from malware, up by 36% compared with a year ago.
Staff-related incidents featured in the 2015 survey with 75% of large organisations suffering a staff-related breach, up from 58% a year ago, and nearly a third of small organisations, up from 22% in 2014.
Read more about social engineering
When asked about the single worst breach, half of the organisations polled attributed the cause to inadvertent human error, up from 31% a year ago.
This increase is despite the fact that security training is being done by 72% of large organisations, up from 68% a year ago, while 63% of small businesses are providing training, up from 54% in 2014.
But the survey revealed that 21% of respondents have not briefed their board in the past year, while 14% said they have never briefed their board on security risks. And only 26% of organisations stated that responsibility for ensuring data is protected is very clear, while 33% said it was not clear.
There was, however, a slight increase in the proportion of organisations where senior management is viewed as giving security a “high” or “very high” priority, up to 82% from 79% a year ago. But some 28% of respondents cited that a “lack of priority” from senior management was a contributing factor to their single worst breach, up from just 7% in 2014.
The survey uncovered that nearly a third of organisations have not conducted any form of security risk assessment, up from 20% a year ago. The report said this reverses the trend of the past two years and raises the question whether businesses have the required skills or experience.
Innovation brings risks
The report said innovation often brings new risks, and the survey revealed there has been an increase in information security breaches caused or enabled by technology meant to improve productivity and increase collaboration.
The survey showed 13% of large organisations had a security or data breach in the past year relating to social networking sites, barely changed from a year ago, but 15% of large organisations had a security or data breach involving smartphones or tablets, up from just 7% a year ago.
There was an increase of only 2% in the proportion of security or data breaches relating to cloud computing services to 7%, while only 3% of the worst data breaches were due to portable media bypassing defences, down from 10% a year ago.
The report said the difference between the higher levels of uptake of cyber threat intelligence and cyber liability insurance reflects different rates of maturity across industry of how security risks are managed.
“Although there appears to be a large drop in insurance coverage, this may be due to a greater understanding of the cover provided by standard business disruption insurance policies in the event of an information security breach,” the report said.
The survey revealed that 39% of large organisations have insurance to cover them in the event of a breach, down from 52% a year ago, while 27% of small businesses have coverage, down from 35% in 2014. Some 63% of respondents currently invest in or plan to invest in threat intelligence to actively monitor threats, which is slightly down from 69% a year ago.
The human factor
(ISC)2 European managing director Adrian Davis said the report reveals that “the elephant in the room” in cyber security is the human factor.
“The revelation that human error caused 50% of the worst security breaches in 2015 and that three-quarters of large organisations suffered staff-related breaches shows there is still a ‘people problem’ that many organisations are failing to address,” he said.
According to Davis, the rise in outsourcing also indicates that companies are seeking to offload their cyber security responsibilities to others rather than ensuring their in-house employees are equipped with appropriate security knowledge.
“This has resulted in basic attack methods being successfully utilised to penetrate large organisations through their employees,” he said.
(ISC)²’s recent global survey of the information security workforce showed that phishing attacks – hoax emails that dupe people into downloading malware – are still the most common threat technique used by malicious actors.
“Even worse, more than a third of all cyber security investments are used for technical controls, while only a quarter of companies plan to invest in training staff,” said Davis.
“This indicates that businesses are falsely reliant upon security technology instead of investing in vital staff education and training,” he said.
According to Davis, no matter how strong your technical defences are, poorly trained employees have become a prime gateway for attackers to get in. He believes that complacency around awareness training is exacerbating the security breach issue.
“Companies train staff to protect themselves in the real world with health and safety training,” said Davis. "They need to treat information security in the same manner by teaching employees safety in the virtual world."
He added that the rise in bring your own device offers more opportunities for malicious actors to attack organisations through their staff, reinforcing the urgent need to teach employees about cyber security.
“Too many companies still treat cyber security as a niche specialism closeted away in the IT department or outsourced to professionals instead of giving the topic the much-needed attention it deserves by educating all company employees,” Davis said.
The massive business and reputational damage unveiled in the survey offer a new imperative for businesses to change their approach to cyber security, he added.