PwC’s latest annual breaches survey was published this month. Backed by an £860 million budget (from 2011 to 2016), the National Cyber Security Programme, now being propelled by Ed Vaizey, the Minister for Culture and the Digital Economy, has continued to commission PwC to conduct its annual survey of information security breaches. The results provide a richly detailed picture of the UK’s cybersecurity scene.
The report gathered responses from 664 companies, all based in the UK but varying greatly in size and focus. Almost half of the respondents were companies with 500 or more employees that work within the professional services or technology sectors, however, small-to-medium sized businesses from almost all other sectors were included, lending credibility and wide applicability to the reported data. (N.B. large organisations > 250 employees, medium 50-249, small <50.) This year’s key survey findings read a lot like those of previous years: the number of security breaches is rising, the cost of security breaches is rising and not enough is being done to combat these threats. Some of the more illuminating findings in this year’s survey were:
- 90% of large organisations reported that they had suffered a security breach (up from 81% in 2014). These results indicate that a breach is incredibly likely; failure to plan for a breach at the very least may compound damage when breaches occur and may also lead to allegations that organisations have failed to meet the relevant legal standard of care;
- The cost of the worst security breach for a large organisation is in the average range of £1.46 to £3.14 million (significantly up from £600k to £1.15 million in 2014);
- The cost of the worst security breach for a small organisation is in the average range of £75k to £311k (a more modest increase from £65k to £115k in 2014, but hugely significant sum given the likelihood that the cost will jeopardise the continuance of the business). Worryingly, 11% of respondents changed the nature of their business as a result of their worst breach;
- There has been an increase in information security breaches caused, or enabled by, technology meant to improve productivity and/or collaboration (15% of large organisation had a security breach involving smartphones or tablets – up from 7% in 2014);
- Large and small organisations appear to be subject to greater targeting by outsiders, with malware impacting nearly three-quarters of large organisations and three-fifths of small organisations;
- “Denial of service” (“DoS”) type attacks have dropped across the board, however, this reflects a more worrying trend that since 2013, outsiders are using more sophisticated methods to affect organisations (such as malware);
- Unfortunately, the inside threat is not abating either as when questioned about the single worst breach suffered, half of all organisations attributed the cause to inadvertent human error (up from 31% in 2014);
- Furthermore, the survey revealed that nearly one third of organisations had not conducted any form of security risk assessment on their enterprise. This reverses the trend of the past two years and questions whether businesses have the skills or experience to perform these to an adequate degree;
- The trend in outsourcing certain security functions and the use of cloud computing and storage continue to rise.
These statistics serve as a stark reminder that despite the excellent strides being made in deploying cybersecurity solutions, across businesses of all size, hackers and their methods are evolving even quicker. The National Cyber Security Programme is trying to speed the adoption of better cybersecurity practices via the dissemination of practical guidance. In its first year of operation, the Cyber Essentials scheme looks to be gaining traction with the report that nearly half all the businesses surveyed plan to implement or have implemented the scheme.