alphaspirit - Fotolia
UK companies are not yet on top of cyber security incidents or their causes, according to PwC’s Global State of Information Security Survey 2016.
Nearly 10% of UK companies do not know how many cyber security attacks they had in the past year and 14% do not know how they happened, the survey shows.
PricewaterhouseCoopers (PwC) interviewed more than10,000 executives from more than 127 countries – including 637 in the UK – across all industries about the challenges companies face in defending against cyber attacks.
Prevention and detection methods have proved largely ineffective against increasingly adept assaults. Many organisations do not know what to do, or lack the resources to combat today’s highly skilled and persistent cyber criminals, the report said.
However, the survey shows that organisations around the world are starting to act and think seriously about cyber security, said Dave Burg, global and US cyber security leader at PwC.
“We are seeing an increase in awareness of the risk and opportunities, and more boards are becoming more actively engaged in cyber security preparedness,” he said.
Although there is an increased involvement by boards, the report said they are often not involved in critical initiatives – such as security strategy, budget and review of risks.
The survey found 55% of boards do not participate in the overall security strategy; and 42% do not have an overall information strategy.
There is also a growing trend towards more strategic collaboration and response, greater information sharing and greater understanding and visibility of risks.
The survey found the number of organisations that embrace external collaboration has steadily increased, with 65% of respondents collaborating with others to improve security.
Data explosion creates risk
According to PwC, these trends need to continue and grow to counter the annual increase in the frequency, severity and impact of cyber attacks.
At the same time, the report said technological change continues to disrupt how organisations compete and create value in ways that often alter operating models.
“Some of today’s most significant business trends, including the explosion of data analytics, the digitisation of business functions and a blending of service offerings across industries, have expanded the use of technologies and data, and that is creating more risk than ever before,” the report said.
However, the report notes that attack prevention, detection methods and innovation are on the rise globally, as forward-thinking business leaders focus on systems that cut risks and improve business performance.
Read more about cyber risk
- Many UK firms are failing to adequately assess their customers and trading partners for cyber risk, Marsh's UK Cyber Risk Survey reveals.
- The finance community is becoming more aware of the impact of cyber security but there is scope for significant improvement, says Ernst & Young (EY) report.
- Despite the consequences of cyber attacks on high-profile businesses such as Sony, relatively few organisations understand the scale of the threat they face.
The report examines how executives are looking towards emerging innovations and frameworks to improve security and mitigate enterprise risk.
As cyber risks become increasingly prominent in the boardroom, business leaders are rethinking cyber security practices, focusing on innovative technologies that reduce enterprise risk and improve performance.
The survey found 91% of organisations have adopted a security framework, or a combination of frameworks. These technologies are yielding considerable opportunities to improve cyber security and produce holistic, integrated safeguards against cyber attacks, the PwC report said.
The survey is aimed at providing insight and transparency to enable businesses to get to grips with cyber security and privacy, and build business cases for investment, said Stewart Room, cyber security and data protection partner at PwC.
The importance of transparency
“Transparency and insight are also important from a legal perspective, because the law wants businesses to understand security and privacy, and how to protect themselves,” he said.
This relates to three key areas, said Room. First, is supply chain security. “You are only as strong as your weakest link and the law wants you to understand how your suppliers are ensuring security and privacy,” he said.
Second, regulators are increasingly requiring transparency in cyber security in privacy, and consequently, there is a rise in breach disclosure obligations.
Third, customers want to know their personal data is safe and secure, and the businesses they deal with respect their privacy.
Keeping an accurate inventory of personal data is a key priority for UK organisations in the next year, the report said.
In the past year, the survey found an increase of customer records compromised to 38% – up from 28% the year before; while compromise of employ records rose to 33%, from 29% the year before.
Other key findings of the survey include:
- A third of reported UK incidents are due to mobile devices being exploited;
- Insiders ‐ current or former employers ‐ top the list as a major source of incidents;
- Incidents now cost an average of £1.7m;
- Cloud computing and the internet of things are making a major impact on technology innovation, but also the number of attacks;
- There was a 38% increase in detected information security incidents and a 24% boost in security budgets in 2015;
- In the past year, UK security budgets on average 3.7% of the total IT budget, compared with 3.65% in Europe and 3.78 in the US;
- Some 80% of organisations experienced service downtime due to security incidents.
IoT risk and opportunity
Richard Horne, PwC cyber security partner, said many business leaders see cyber security as the risk that will define their generation.
“The most innovative companies are rising to the challenges they face, looking at new technology and seeing how they can best protect their assets and reputation to gain competitive advantage,” he said.
According to Horne, adapting traditional cyber security measures to an increasingly cloud-based world is an example of this effort, with considerable investment in developing network infrastructure capabilities that enable improved intelligence-gathering, threat-modelling, defence against attacks and incident response.
The survey found 69% of respondents use cloud-based security services to protect sensitive data and ensure the privacy and protection of consumer information.
While big data is often considered a cyber liability, 59% of respondents are using data-powered analytics to enhance security, by shifting security away from perimeter-based defences and helping organisations to put real-time information to use in ways that create real value.
As the number of internet-connected devices continues to surge, the PwC report said the IoT will inevitably increase the stakes for securing cloud-based networks. Investment intended to address these issues doubled in 2015 – but only 36% of UK survey respondents had a strategy addressing the IoT.
The report also found 59% of organisations had bought cyber security insurance, compared with 51% last year; while 43% of UK survey respondents report making a claim on their insurance.
“In our digitally interconnected world, businesses cannot stand still,” said Horne.
“They need to prepare and continually test their defences ‐ and respond to breaches ‐ in the face of incredibly sophisticated attacks.
“This requires commitment and leadership from the very top of an organisation to prevent breaches, but also to detect and respond to them rapidly and in the right way when they happen,” he said.