The number of information security breaches affecting UK businesses has decreased over the last year but the scale and cost of individual breaches has almost doubled.
The Information Security Breaches Survey 2014, commissioned by the Department for Business, Innovation and Skills (BIS) and carried out by PwC, found that 81% of large organisations suffered a security breach, down from 86% a year ago. 60% of small businesses reported a breach, down from 64% in 2013.
Although organisations are experiencing fewer breaches overall, the severity and impact of attacks has increased, with the average cost of an organisations’ worst breach rising significantly for the third consecutive year. For small organisations the worst breaches cost between £65,000 and £115,000 on average and for large organisations between £600,000 and £1.15 million.
The majority of businesses have increased IT security investment over the last year.
Universities and Science Minister David Willetts said: “These results show that British companies are still under cyber attack. Increasingly those that can manage cyber security risks have a clear competitive advantage.
“Through the National Cyber Security Programme, the government is working with partners in business, academia and the education and skills sectors to equip the UK with the professional and technical skills we need for long-term economic growth.”
Andrew Miller, cyber security director at PwC, said: “Whilst the number of breaches affecting UK business has fallen slightly over the past year the number remains high and in many companies more needs to be done to drive true management of security risks.
“Breaches are becoming more sophisticated and their impact more damaging. Given the dynamic nature of the risk, boards need to be reviewing threats and vulnerabilities on a regular basis. As the average cost of an organisation’s worst breach has increased this year, businesses must make sure that the way they are spending their money in the control of cyber threats is effective. Organisations also need to develop the skills and capability to understand how the risk could impact their organisation and what strategic response is required.”
According to the report, 70% of companies that have a poor understanding of security policy experienced staff related breaches, compared to only 41% in companies where security is well understood. This suggests that communicating the security risks to staff and investing in ongoing awareness training results in fewer breaches.
The survey also found that there has been an increase in the number of businesses which are confident that they have the skills required within their organisations to detect, prevent and manage information security breaches – up to 59% from 53% last year.
Ensuring that we have the cyber skills capability to meet the evolving needs of businesses is a key objective of the UK’s National Cyber Security Strategy. Earlier this year, the government unveiled a raft of new proposals to meet the increasing demand for cyber security skills. These include a new higher-level apprenticeship, special learning materials for 11 to 14-year-olds and plans to train teachers to teach cyber security.
Earlier this year the government launched a new scheme to help businesses stay safe online. Cyber Essentials provides clarity to organisations on what good cyber security practice is and sets out the steps they need to follow, to manage cyber risks. From this summer organisations that have complied with the best practice recommendations will be able to apply to be awarded the Cyber Essentials Standard. This will demonstrate to potential customers that businesses have achieved a certain level of cyber security and take it seriously.
David Willetts will talk about the results of the survey in his speech at the Infosecurity Europe conference at Earls Court, London later today. He will also unveil the seven companies that have been identified as leaders in developing new techniques to protect data from criminals. They will benefit from £500,000 to carry out research and development projects as part of the Technology Strategy Board’s (TSB) cyber launchpad competition.