Research and analysis
Information security breaches survey: supporting data
Updated 4 June 2015
Download CSV 43.4 KB
| Table 1 | "" |
|---|---|
| Not set | Not set |
| Q1_1_1. Where is your organisation's main location? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 326 |
| Scotland | 2% |
| Northern Ireland | 0% |
| North West England | 7% |
| Yorkshire and North East England | 5% |
| Wales | 3% |
| Midlands | 6% |
| Eastern England | 6% |
| South West England | 8% |
| South East England | 22% |
| Greater London | 29% |
| Channel Islands | 1% |
| Elsewhere in Europe | 3% |
| North America | 5% |
| South America | - |
| Africa | 1% |
| Asia | 1% |
| Australia | - |
| Table 2 | "" |
| Not set | Not set |
| Q1_1_2. How many staff does your organisation employ in the UK and Channel Islands? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 326 |
| None | 2% |
| Less than 10 | 17% |
| 10 to 49 | 8% |
| 50 to 249 | 13% |
| 250 to 499 | 8% |
| 500 to 9,999 | 35% |
| 10,000+ | 16% |
| Don't know | 0% |
| Table 3 | "" |
| Not set | Not set |
| Q1_1_3. In what sector is your main business activity? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 326 |
| Agriculture | - |
| Banking | 4% |
| Consultancy and professional services | 18% |
| Distribution | 1% |
| Education | 5% |
| Government | 8% |
| Health | 4% |
| Insurance | 8% |
| Leisure and entertainment | 1% |
| Manufacturing | 3% |
| Media | 1% |
| Other financial services | 6% |
| Pharmaceutical | 1% |
| Property and construction | 3% |
| Retail | 3% |
| Services | 3% |
| Technology | 19% |
| Telecommunications | 2% |
| Travel | 2% |
| Utilities, energy and mining | 3% |
| Other | 6% |
| Table 4 | "" |
| Not set | Not set |
| Q1_1_4. Which of the following best describes your role in the organisation? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 326 |
| Chief Executive Officer | 7% |
| Chief Operations Officer | 2% |
| Chief Information Officer | 4% |
| Chief Information Security Officer | 7% |
| Chief Finance Officer | 2% |
| Chief Risk Management Officer | 0% |
| Executive Director | 2% |
| Non-Executive Director | 1% |
| Managing Director | 10% |
| Information Security | 41% |
| Information Technology | 2% |
| Finance | 1% |
| Business Operations | 3% |
| Legal | - |
| Audit / Investigations | 4% |
| Risk Management | 5% |
| Other | 10% |
| Table 5 | "" |
| Not set | Not set |
| Q1_1_5. How high a priority is information security to your top management or director group? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 326 |
| Very high priority | 41% |
| High priority | 41% |
| Neither high nor low priority | 13% |
| Low priority | 3% |
| Not a priority at all | 0% |
| Don't know | 2% |
| Table 6 | "" |
| Not set | Not set |
| Q1_1_6. How well do you think your staff understand your security policy? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 326 |
| Very well understood | 21% |
| Quite well understood | 54% |
| Poorly understood | 23% |
| Don't know | 1% |
| Do not currently possess one | 2% |
| Table 7 | "" |
| Not set | Not set |
| Q1_1_7. What % of your total IT expenditure do you spend on information security? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 326 |
| Zero | 2% |
| 1% or less | 12% |
| 2% to 5% | 23% |
| 6% to 10% | 19% |
| 11% to 25% | 14% |
| 26% to 50% | 3% |
| More than 50% | 2% |
| Don't know | 26% |
| Table 8 | "" |
| Not set | Not set |
| Q1_1_8. Has your organisation had what it considers a serious" breach (highest impact on your impact scale) in the last year?" | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 326 |
| Yes | 12% |
| No | 82% |
| Don't know | 6% |
| Table 9 | "" |
| Not set | Not set |
| Q1_2_2. How many times in the last year were you made aware that your systems have been infected by viruses or other malicious software either through detection by your own systems or reports from others? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 328 |
| None | 21% |
| Once only in the last year | 12% |
| A few times in the last year | 35% |
| Roughly once a month | 7% |
| Roughly once a week | 6% |
| Roughly once a day | 4% |
| Several times a day | 5% |
| Hundreds of times every day | 1% |
| Don't know | 9% |
| Table 10 | "" |
| Not set | Not set |
| Q1_3_3. How many times in the last year have you become aware that your staff have used other people's IDs to gain unauthorised access to systems or data? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 323 |
| None | 52% |
| Once only in the last year | 8% |
| A few times in the last year | 19% |
| Roughly once a month | 7% |
| Roughly once a week | 2% |
| Roughly once a day | 0% |
| Several times a day | 2% |
| Hundreds of times every day | - |
| Don't know | 11% |
| Table 11 | "" |
| Not set | Not set |
| Q1_3_4. How many times in the last year have you become aware of breaches in data protection laws/regulations in your company? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 323 |
| None | 56% |
| Once only in the last year | 8% |
| A few times in the last year | 16% |
| Roughly once a month | 5% |
| Roughly once a week | 2% |
| Roughly once a day | 1% |
| Several times a day | 1% |
| Hundreds of times every day | - |
| Don't know | 10% |
| Table 12 | "" |
| Not set | Not set |
| Q1_3_5. How many times in the last year have you become aware that your staff have deliberately obtained and misused confidential / sensitive data? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 323 |
| None | 67% |
| Once only in the last year | 6% |
| A few times in the last year | 11% |
| Roughly once a month | 2% |
| Roughly once a week | 1% |
| Roughly once a day | 0% |
| Several times a day | 0% |
| Hundreds of times every day | - |
| Don't know | 13% |
| Table 13 | "" |
| Not set | Not set |
| Q1_3_6. How many times in the last year have you become aware that your staff have accidentally lost or leaked your confidential / sensitive data? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 323 |
| None | 49% |
| Once only in the last year | 13% |
| A few times in the last year | 20% |
| Roughly once a month | 6% |
| Roughly once a week | 2% |
| Roughly once a day | 0% |
| Several times a day | 1% |
| Hundreds of times every day | - |
| Don't know | 10% |
| Table 14 | "" |
| Not set | Not set |
| Q1_3_7. How many times in the last year have you become aware that your staff have used your computer systems to carry out financial fraud or theft? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 323 |
| None | 78% |
| Once only in the last year | 5% |
| A few times in the last year | 2% |
| Roughly once a month | 1% |
| Roughly once a week | 1% |
| Roughly once a day | 0% |
| Several times a day | 0% |
| Hundreds of times every day | - |
| Don't know | 12% |
| Table 15 | "" |
| Not set | Not set |
| Q1_3_8. How many times in the last year have you become aware that your staff have stolen some of your computer equipment? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 323 |
| None | 69% |
| Once only in the last year | 10% |
| A few times in the last year | 7% |
| Roughly once a month | 2% |
| Roughly once a week | 1% |
| Roughly once a day | 0% |
| Several times a day | 0% |
| Hundreds of times every day | - |
| Don't know | 11% |
| Table 16 | "" |
| Not set | Not set |
| Q1_3_9. How many times in the last year have you become aware that your staff have deliberately sabotaged your data or systems? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 323 |
| None | 83% |
| Once only in the last year | 3% |
| A few times in the last year | 1% |
| Roughly once a month | 1% |
| Roughly once a week | 1% |
| Roughly once a day | 0% |
| Several times a day | - |
| Hundreds of times every day | - |
| Don't know | 10% |
| Table 17 | "" |
| Not set | Not set |
| Q1_4_2. How many times in the last year have you been made aware that unauthorised outsiders have succeeded in penetrating your network? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 323 |
| None | 72% |
| Once only in the last year | 9% |
| A few times in the last year | 4% |
| Roughly once a month | 1% |
| Roughly once a week | 1% |
| Roughly once a day | - |
| Several times a day | 1% |
| Hundreds of times every day | 1% |
| Don't know | 12% |
| Table 18 | "" |
| Not set | Not set |
| Q1_4_3. How many times in the last year have you been made aware that unauthorised outsiders have launched a Denial of Service (DoS) or Distributed DoS attack against your systems? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 322 |
| None | 63% |
| Once only in the last year | 11% |
| A few times in the last year | 9% |
| Roughly once a month | 3% |
| Roughly once a week | 1% |
| Roughly once a day | - |
| Several times a day | 1% |
| Hundreds of times every day | 0% |
| Don't know | 11% |
| Table 19 | "" |
| Not set | Not set |
| Q1_4_4. How many times in the last year have you been made aware that unauthorised outsiders have eavesdropped on your internet or telecommunications traffic? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 322 |
| None | 65% |
| Once only in the last year | 3% |
| A few times in the last year | 3% |
| Roughly once a month | 0% |
| Roughly once a week | 1% |
| Roughly once a day | 0% |
| Several times a day | 1% |
| Hundreds of times every day | 0% |
| Don't know | 26% |
| Table 20 | "" |
| Not set | Not set |
| Q1_4_5. How many times in the last year have you been made aware that unauthorised outsiders have misused your company's identity (e.g. Phishing)? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 322 |
| None | 52% |
| Once only in the last year | 10% |
| A few times in the last year | 15% |
| Roughly once a month | 3% |
| Roughly once a week | 4% |
| Roughly once a day | 1% |
| Several times a day | 2% |
| Hundreds of times every day | 1% |
| Don't know | 12% |
| Table 21 | "" |
| Not set | Not set |
| Q1_4_6. How many times in the last year have you been made aware that unauthorised outsiders have pretended to be one of your customers with a view to fraud (identity theft)? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 322 |
| None | 59% |
| Once only in the last year | 5% |
| A few times in the last year | 13% |
| Roughly once a month | 6% |
| Roughly once a week | 0% |
| Roughly once a day | 1% |
| Several times a day | 1% |
| Hundreds of times every day | 0% |
| Don't know | 14% |
| Table 22 | "" |
| Not set | Not set |
| Q1_4_7. How many times in the last year have you been made aware that unauthorised outsiders have stolen some of your computer equipment? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 322 |
| None | 69% |
| Once only in the last year | 8% |
| A few times in the last year | 9% |
| Roughly once a month | 2% |
| Roughly once a week | 1% |
| Roughly once a day | 0% |
| Several times a day | - |
| Hundreds of times every day | - |
| Don't know | 11% |
| Table 23 | "" |
| Not set | Not set |
| Q1_4_8. How many times in the last year have you been made aware that unauthorised outsiders have exfiltrated confidential information from your organisation? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 322 |
| None | 71% |
| Once only in the last year | 4% |
| A few times in the last year | 3% |
| Roughly once a month | 1% |
| Roughly once a week | 1% |
| Roughly once a day | 0% |
| Several times a day | - |
| Hundreds of times every day | - |
| Don't know | 20% |
| Table 24 | "" |
| Not set | Not set |
| Q3_2_1a. Which is the most important driver for your information security expenditure? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 319 |
| Preventing downtime and outages | 11% |
| Protecting intellectual property | 10% |
| Protecting customer information | 33% |
| Protecting other assets (e.g. Cash) from theft | 1% |
| Maintaining data integrity | 5% |
| Complying with laws/regulations | 10% |
| Business continuity in a disaster situation | 2% |
| Protecting the organisation's reputation | 20% |
| Enabling business opportunities | 2% |
| Improving efficiency/cost reduction | 1% |
| Suffered a serious security breach | 1% |
| Government cyber security initiatives | 2% |
| Other | - |
| Don't know | 3% |
| Table 25 | "" |
| Not set | Not set |
| Q3_2_1b. Which is the second most important driver for your information security expenditure? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 310 |
| Preventing downtime and outages | 13% |
| Protecting intellectual property | 6% |
| Protecting customer information | 18% |
| Protecting other assets (e.g. Cash) from theft | 3% |
| Maintaining data integrity | 10% |
| Complying with laws/regulations | 17% |
| Business continuity in a disaster situation | 4% |
| Protecting the organisation's reputation | 20% |
| Enabling business opportunities | 4% |
| Improving efficiency/cost reduction | 2% |
| Suffered a serious security breach | 2% |
| Government cyber security initiatives | 2% |
| Other | - |
| Don't know | 1% |
| Table 26 | "" |
| Not set | Not set |
| Q3_2_1c. Which is the third most important driver for your information security expenditure? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 306 |
| Preventing downtime and outages | 13% |
| Protecting intellectual property | 7% |
| Protecting customer information | 14% |
| Protecting other assets (e.g. Cash) from theft | 2% |
| Maintaining data integrity | 11% |
| Complying with laws/regulations | 17% |
| Business continuity in a disaster situation | 10% |
| Protecting the organisation's reputation | 13% |
| Enabling business opportunities | 4% |
| Improving efficiency/cost reduction | 3% |
| Suffered a serious security breach | 1% |
| Government cyber security initiatives | 3% |
| Other | 0% |
| Don't know | 0% |
| Table 27 | "" |
| Not set | Not set |
| Q3_2_9. How are cyber security risks identified and assured? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 317 |
| Internal Audit | 61% |
| Outsourced managed security provider | 24% |
| Business as usual healthchecks | 40% |
| Ad-hoc healthchecks / reviews | 46% |
| Information / Cyber security risk assessment | 64% |
| Other | 4% |
| Don't know | 5% |
| Table 28 | "" |
| Not set | Not set |
| Q3_2_4. What information do you use to help you evaluate the security threats that your organisation faces? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 313 |
| Discussions with senior management | 53% |
| Views of internal security experts | 64% |
| External security consultants | 46% |
| Guidance from security bodies (e.g. ISF, IISP, ISC2) | 51% |
| Alerts from government/intelligence services | 53% |
| Government Cyber Security Ten Steps guidance | 30% |
| Advice from security product vendors | 49% |
| News reports in the media | 51% |
| Industry Groups ('chatham house' rules type meeting) | 36% |
| Cyber-security Information Sharing Partnership (CiSP) | 27% |
| Other | 4% |
| !None of the above | 1% |
| !Don't know | 5% |
| Table 29 | "" |
| Not set | Not set |
| Q3_2_5. How often do the CEO and Board members receive updates on who may be attacking your organisation? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 310 |
| Daily | 7% |
| Weekly | 11% |
| Monthly | 19% |
| Quarterly | 19% |
| Annually | 6% |
| Less frequently than annually | 6% |
| Never | 11% |
| Don't know | 22% |
| Table 30 | "" |
| Not set | Not set |
| Q3_2_6. How clear is it who owns critical data within your organisation and takes responsibility for ensuring the data is protected? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 309 |
| Very clear | 40% |
| Quite clear | 37% |
| Not clear | 21% |
| Don't know | 1% |
| Table 31 | "" |
| Not set | Not set |
| Q3_2_7. How is information classified within your organisation and is it consistently applied? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 309 |
| Data classification scheme exists and consistently applied | 33% |
| Data classification scheme exists but not consistently applied | 33% |
| Document management policies exist and consistently applied | 16% |
| Document management policies exist but not consistently applied | 22% |
| No meaningful differentiation between different information types | 11% |
| Not applicable as information is not classified | 10% |
| Don't know | 4% |
| Table 32 | "" |
| Not set | Not set |
| Q3_2_8. What cyber security governance and risk management arrangements do you have in place? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 308 |
| CISO in place | 33% |
| Board member with responsibility for Cyber risks | 44% |
| Cyber security risks are included on Directorate / Departmental risk registers | 31% |
| Cyber security risks are promoted into the Enterprise risk register | 39% |
| Cyber security risks included within the Internal Audit plan | 44% |
| Security risk assessment carried out in the last year | 59% |
| Formal cyber security policy in place | 46% |
| Other | 4% |
| !None of the above | 7% |
| !Don't know | 7% |
| Table 33 | "" |
| Not set | Not set |
| Q3_3_1. Has your organisation documented its information security policy? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 307 |
| Yes | 84% |
| No | 14% |
| Don't know | 2% |
| Table 34 | "" |
| Not set | Not set |
| Q3_3_2. Do you provide staff with any security awareness training? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 307 |
| Yes - on induction and regularly thereafter | 64% |
| Yes - on induction only | 21% |
| No | 12% |
| Don't know | 2% |
| Table 35 | "" |
| Not set | Not set |
| Q3_3_3. Has staff security awareness increased or decreased over the last year? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 307 |
| Increased | 61% |
| Decreased | 2% |
| Stayed the same | 31% |
| Don't know | 6% |
| Table 36 | "" |
| Not set | Not set |
| Q3_3_4. What steps have you taken to raise your customers' security awareness? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 306 |
| Providing direct guidance (e.g. On your web-site) | 51% |
| Sponsorship or industry initiatives | 13% |
| Providing customers with security tools (e.g. Anti-virus) | 25% |
| Other steps | 13% |
| No steps taken | 28% |
| Don't know | 9% |
| Table 37 | "" |
| Not set | Not set |
| Q3_3_5. Has your organisation implemented the principles of the International Standard for Information Security Management (ISO 27001)? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 306 |
| Yes, completely | 22% |
| Yes, partially | 33% |
| No, but plan to | 12% |
| No, and not planned | 25% |
| Don't know | 8% |
| Table 38 | "" |
| Not set | Not set |
| Q3_3_12. Has your organisation implemented Cyber Essentials and Cyber Essentials plus? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 306 |
| Yes - badged for Cyber Essentials plus | 2% |
| Yes - badged for Cyber Essentials | 2% |
| Cyber Essentials fully implemented but not badged | 4% |
| Cyber Essentials plus fully implemented but not badged | 2% |
| Partially implemented | 11% |
| No - but plan to | 19% |
| No - and not planned | 42% |
| Don't know | 16% |
| Table 39 | "" |
| Not set | Not set |
| Q3_3_6. How has the amount that you spend on information security changed over the last year? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 306 |
| Increased | 46% |
| Stayed the same | 39% |
| Decreased | 3% |
| Don't know | 11% |
| Table 40 | "" |
| Not set | Not set |
| Q3_3_8. Which of the following techniques do you use to evaluate the effectiveness of your spend on information security? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 304 |
| Measuring trend in security incidents/costs | 37% |
| Benchmarking against other organisations | 14% |
| Return on investment calculations (ROI) | 14% |
| Measuring staff awareness | 27% |
| Monitoring level of regulatory compliance | 33% |
| Feedback from management | 29% |
| Active technical testing such as penetration testing and cyber attack simulation | 39% |
| Table top exercise | 13% |
| Other formalised process | 3% |
| !Don't formally evaluate the effectiveness of information security spend | 26% |
| !Don't know | 11% |
| Table 41 | "" |
| Not set | Not set |
| Q3_3_9. Which standards and good practice guides do you ensure your suppliers comply with? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 304 |
| A recognised standard such as ISO 27001 | 51% |
| Government-related requirements | 31% |
| Payment card industry (PCI) | 37% |
| Independent service auditor's report (e.g. ISAE 3402) | 13% |
| Cyber Essentials | 9% |
| Cyber Essentials Plus | 5% |
| Other | 4% |
| !None | 19% |
| !Don't know | 10% |
| Table 42 | "" |
| Not set | Not set |
| Q3_3_10. Do you have a formal incident management process? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 302 |
| Yes - including incident identification, response and recovery | 31% |
| Yes - including incident identification, response, recovery and root cause analysis | 16% |
| Yes - including incident identification, response, recovery, root cause analysis and continuous improvement | 31% |
| No | 19% |
| Don't know | 3% |
| Table 43 | "" |
| Not set | Not set |
| Q3_3_11. Which of the following 10 Steps" security practices do you conduct?" | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 300 |
| Directors are engaged with cyber risk through specification of risk appetite and approval of cyber risk management policy | 50% |
| Policy to control all access to removable devices | 59% |
| Established training programme and awareness of cyber risks | 55% |
| Incident management capabilities | 70% |
| Mobile working policy and training | 64% |
| Patch management | 77% |
| Up to date malware protection | 88% |
| User account management | 80% |
| Monitor user activity | 60% |
| IT logging and monitoring | 70% |
| None of the above | 1% |
| Table 44 | "" |
| Not set | Not set |
| Q3_4_1. How are you primarily made aware and how do you track regulation and guidance (domestic and international) relevant to cyber security including data protection and information management? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 299 |
| General Council is engaged and has this responsibility | 7% |
| Obtain regular external legal advice | 7% |
| Data protection officers engaged with the security programme and upcoming regulation | 25% |
| CISO has responsibility for identifying upcoming regulation | 20% |
| Upcoming regulation and guidance is not tracked effectively | 17% |
| Other | 6% |
| Don't know | 18% |
| Table 45 | "" |
| Not set | Not set |
| Close 1. Many thanks for your time today. That is the end of part one of this survey. We will be distributing invites to complete part 2 in the future or alternatively you can complete part 2 now here. When would you like to complete part 2? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 215 |
| Now | 57% |
| Next year | 43% |
| Table 46 | "" |
| Not set | Not set |
| Q2_1_1. Where is your organisation's main location? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 338 |
| Scotland | 3% |
| Northern Ireland | 1% |
| North West England | 6% |
| Yorkshire and North East England | 5% |
| Wales | 3% |
| Midlands | 7% |
| Eastern England | 5% |
| South West England | 10% |
| South East England | 20% |
| Greater London | 29% |
| Channel Islands | 0% |
| Elsewhere in Europe | 4% |
| North America | 4% |
| South America | - |
| Africa | 1% |
| Asia | 2% |
| Australia | 1% |
| Table 47 | "" |
| Not set | Not set |
| Q2_1_2. How many staff does your organisation employ in the UK and Channel Islands? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 338 |
| None | 3% |
| Less than 10 | 19% |
| 10 to 49 | 11% |
| 50 to 249 | 14% |
| 250 to 499 | 6% |
| 500 to 9,999 | 33% |
| 10,000+ | 13% |
| Don't know | 1% |
| Table 48 | "" |
| Not set | Not set |
| Q2_1_3. In what sector is your main business activity? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 338 |
| Agriculture | 0% |
| Banking | 5% |
| Consultancy and professional services | 20% |
| Distribution | 1% |
| Education | 6% |
| Government | 7% |
| Health | 4% |
| Insurance | 6% |
| Leisure and entertainment | 1% |
| Manufacturing | 2% |
| Media | 2% |
| Other financial services | 6% |
| Pharmaceutical | 1% |
| Property and construction | 3% |
| Retail | 2% |
| Services | 4% |
| Technology | 19% |
| Telecommunications | 1% |
| Travel | 2% |
| Utilities, energy and mining | 3% |
| Other | 7% |
| Table 49 | "" |
| Not set | Not set |
| Q2_1_4. Which of the following best describes your role in the organisation? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 338 |
| Chief Executive Officer | 7% |
| Chief Operations Officer | 2% |
| Chief Information Officer | 4% |
| Chief Information Security Officer | 7% |
| Chief Finance Officer | 3% |
| Chief Risk Management Officer | 1% |
| Executive Director | 2% |
| Non-Executive Director | 1% |
| Managing Director | 10% |
| Information Security | 37% |
| Information Technology | 1% |
| Finance | 1% |
| Business Operations | 5% |
| Legal | 0% |
| Audit / Investigations | 6% |
| Risk Management | 6% |
| Other | 8% |
| Table 50 | "" |
| Not set | Not set |
| Q2_1_5. How high a priority is information security to your top management or director group? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 338 |
| Very high priority | 39% |
| High priority | 42% |
| Neither high nor low priority | 13% |
| Low priority | 3% |
| Not a priority at all | 2% |
| Don't know | 1% |
| Table 51 | "" |
| Not set | Not set |
| Q2_1_6. How well do you think your staff understand your security policy? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 338 |
| Very well understood | 21% |
| Quite well understood | 53% |
| Poorly understood | 23% |
| Don't know | 1% |
| Do not currently possess one | 2% |
| Table 52 | "" |
| Not set | Not set |
| Q2_1_7. What % of your total IT expenditure do you spend on information security? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 338 |
| Zero | 2% |
| 1% or less | 12% |
| 2% to 5% | 22% |
| 6% to 10% | 17% |
| 11% to 25% | 15% |
| 26% to 50% | 2% |
| More than 50% | 1% |
| Don't know | 28% |
| Table 53 | "" |
| Not set | Not set |
| Q2_1_8. Has your organisation had what it considers a serious" breach (highest impact on your impact scale) in the last year?" | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 338 |
| Yes | 13% |
| No | 79% |
| Don't know | 8% |
| Table 54 | "" |
| Not set | Not set |
| Q2_2_1. What type of incident was your worst breach this year? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 46 |
| Infection by a virus or other malicious software | 11% |
| Staff misuse of the internet or email | 9% |
| Breach of laws/regulations | 7% |
| Attack on website or internet gateway | 22% |
| Systems failure or data corruption | 11% |
| Fraud or theft using computer systems | 2% |
| Theft or unauthorised disclosure of confidential data | 20% |
| Physical theft of computer equipment | - |
| Compromise of internal systems with subsequent remote access | 7% |
| Other | 9% |
| Not applicable - no security incidents in the year | 4% |
| Table 55 | "" |
| Not set | Not set |
| Q2_2_3. How was the incident identified? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 42 |
| By its impact on the business | 17% |
| By routine internal security monitoring | 26% |
| By other internal control activities (e.g. Reconciliations, audits) | 12% |
| From reporting of similar incidents in the media | - |
| From warning by government/law enforcement | 7% |
| By accident | 10% |
| From direct reporting by the media | 10% |
| Other | 17% |
| Don't know | 2% |
| Not applicable | - |
| Table 56 | "" |
| Not set | Not set |
| Q2_2_4. How long was it between the breach occurring and it being identified as a breach? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 42 |
| Immediate | 17% |
| Within a few hours | 17% |
| Within a day | 10% |
| Within a week | 19% |
| Within a month | 17% |
| Within 100 days | 7% |
| Longer than 100 days | 7% |
| Organisation identified and dealt with risk before a breach occurred | - |
| Don't know | 7% |
| Not applicable | - |
| Table 57 | "" |
| Not set | Not set |
| Q2_2_5. Which of the following factors contributed to the incident occurring? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 42 |
| Insufficient priority placed on security by senior management | 26% |
| Weaknesses in vetting people | 5% |
| Inadvertent human error | 36% |
| Deliberate misuse of systems by staff | 14% |
| Lack of staff awareness of security risks | 33% |
| Lack of staff awareness of legal/regulatory requirements | 12% |
| Poorly designed processes | 24% |
| Failure to follow a defined process | 26% |
| Weaknesses in someone else's security | 10% |
| Poorly designed technical configuration | 14% |
| Failure to keep technical configuration up to date | 19% |
| Failure of technical security control to mitigate effectively | 12% |
| External attack specifically targeted at your organisation | 17% |
| Indiscriminate external attack | 7% |
| Portable media bypassed defences | 2% |
| Politically motivated as a consequence of policies/clients etc | 2% |
| Other | 5% |
| !None of the above | 2% |
| !Don't know | 5% |
| !Not applicable | - |
| Table 58 | "" |
| Not set | Not set |
| Q2_2_6. What made this incident the worst of the year? | Not set |
| Not set | Not set |
| Total | |
| Not set | Not set |
| Total | 42 |
| Business disruption | 21% |
| Cost to investigate and fix | 14% |
| Value of lost assets | 10% |
| Reputational damage | 38% |
| Other | 10% |
| Not applicable | 7% |
| Table 59 | "" |
| Not set | Not set |
| Q2_2_7. Who was this breach reported to? | Not set |
| Not set | Not set |