The number of information security breaches affecting UK businesses has decreased over the last year but the scale and cost of individual breaches has almost doubled.
The Information Security Breaches Survey 2014, commissioned by the Department for Business, Innovation and Skills (BIS) and carried out by PwC, found that 81% of large organisations suffered a security breach, down from 86% a year ago. 60% of small businesses reported a breach, down from 64% in 2013.
Although organisations are experiencing fewer breaches overall, the severity and impact of attacks has increased, with the average cost of an organisations’ worst breach rising significantly for the third consecutive year. For small organisations the worst breaches cost between £65,000 and £115,000 on average and for large organisations between £600,000 and £1.15 million.
The majority of businesses have increased IT security investment over the last year.
Universities and Science Minister David Willetts said:
These results show that British companies are still under cyber attack. Increasingly those that can manage cyber security risks have a clear competitive advantage.
Through the National Cyber Security Programme, the government is working with partners in business, academia and the education and skills sectors to equip the UK with the professional and technical skills we need for long-term economic growth.
Andrew Miller, cyber security director at PwC, said:
Whilst the number of breaches affecting UK business has fallen slightly over the past year the number remains high and in many companies more needs to be done to drive true management of security risks.
Breaches are becoming more sophisticated and their impact more damaging. Given the dynamic nature of the risk, boards need to be reviewing threats and vulnerabilities on a regular basis. As the average cost of an organisation’s worst breach has increased this year, businesses must make sure that the way they are spending their money in the control of cyber threats is effective. Organisations also need to develop the skills and capability to understand how the risk could impact their organisation and what strategic response is required.
70% of companies that have a poor understanding of security policy experienced staff related breaches, compared to only 41% in companies where security is well understood. This suggests that communicating the security risks to staff and investing in ongoing awareness training results in fewer breaches.
The survey also found that there has been an increase in the number of businesses which are confident that they have the skills required within their organisations to detect, prevent and manage information security breaches – up to 59% from 53% last year.
Ensuring that we have the cyber skills capability to meet the evolving needs of businesses is a key objective of the UK’s National Cyber Security Strategy. Earlier this year (2014), the government unveiled a raft of new proposals to meet the increasing demand for cyber security skills. These include a new higher-level apprenticeship, special learning materials for 11 to 14 year-olds and plans to train teachers to teach cyber security.
Earlier this year (2014) the government launched a new scheme to help businesses stay safe online. Cyber Essentials provides clarity to organisations on what good cyber security practice is and sets out the steps they need to follow, to manage cyber risks. From this summer (2014) organisations that have complied with the best practice recommendations will be able to apply to be awarded the Cyber Essentials Standard. This will demonstrate to potential customers that businesses have achieved a certain level of cyber security and take it seriously.
David Willetts will talk about the results of the survey in his speech at the Infosecurity Europe conference at Earls Court, London later today (29 April 2014). He will also unveil the 7 companies that have been identified as leaders in developing new techniques to protect data from criminals. They will benefit from £500,000 to carry out research and development projects as part of the Technology Strategy Board’s (TSB) cyber launchpad competition.
Notes to Editors
In the survey small businesses are those with 1 to 50 employees, and large businesses are those with more than 250 employees.
The 2014 Information Security Breaches Survey (ISBS) was commissioned by BIS and carried out by PwC in conjunction with Infosecurity Europe and Infosecurity Magazine. The results will be announced on Tuesday 29 April 2014 at the Infosecurity Europe event. Media copies of the report are available from the BIS press office.
This annual survey is carried out to increase understanding and transparency of the cyber security landscape in the UK. The survey is anonymous, enabling government and businesses to benefit from accurate information on the cyber risks that businesses are facing, and how businesses are managing them.
This guidance has been tailored to meet the needs of small businesses and helps them to understand and deal with cyber risk. It follows on from the “10 Steps to Cyber Security” guidance released by HM Government in September 2012, which was aimed at larger businesses and encouraging them to make cyber security a Board level responsibility. Media copies are available from the BIS press office.
BIS carries out this work under the National Cyber Security Programme which in turn delivers the UK Cyber Security Strategy, a key objective of which is to tackle cyber crime and make the UK 1 of the most secure places in the world to do business in cyberspace.
PwC firms help organisations and individuals create the value they’re looking for. They are a network of firms in 158 countries with over 180,000 people who are committed to delivering quality in assurance, tax and advisory services. Find out more by visiting www.pwc.com. ‘PwC’ is the brand under which member firms of PricewaterhouseCoopers International Limited (PwCIL) operate and provide services. Together, these firms form the PwC network. Each firm in the network is a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of their professional judgment or bind them in any way.
More information about the Technology Strategy Board’s cyber launchpad competition can be found at https://www.innovateuk.org/cyber-launchpad.
For further information please contact Katie Kilgallen on 020 7215 1861 / firstname.lastname@example.org or Nicola Thorogood on 020 7804 6007 / email@example.com.
The government’s long-term plan is to build a strong, more competitive economy and a fairer society.
Industrial Strategy gives impetus to the plan for growth by providing businesses, investors and the public with clarity about the long-term direction in which the government wants the economy to travel.
The first achievements and future priorities of the industrial strategy have been published and can be found here https://www.gov.uk/government/publications/industrial-strategy-early-successes-and-future-priorities.