Effective cyber security is good for business, according to the UK’s Department for Business, Innovation and Skills (BIS), which has published its 2013 Information Security Breaches Survey. The report presents the findings from over 1000 respondents across small, medium and large firms in a range of sectors. The figures show that companies in the UK have experienced the highest ever number of reported security breaches and the costs to firms are also at an all-time high. The average cost to a large firm of its worst security breach is reported to be between £450k and £850k. For small firms, the figure ranges between £35k and £65k.
The increased use of cloud computing, mobile devices and social networks can increase risk (14% of large organisations reported a security breach via a social network). Ongoing changes in the business environment can also lead to uncertainty about who is responsible for information and data ‘ownership’. This is particularly true in large organisations where 33% of respondents reported that such responsibilities were ‘unclear’.
Most of the respondents reported that they have written information security policies, yet 34% report that employee understanding is poor. Training levels remain low, despite evidence that training and awareness can significantly reduce the impact of security breaches.
Threats from outside – and within
The BIS states that cyber-attacks have grown ‘in frequency and intensity’ over the last year. These include hacktivism attacks, phishing, identity fraud and denial of service attacks. Companies are not just subject to external threats. Staff related breaches may be both deliberate and inadvertent and can range from accidentally sending emails to the wrong recipients or disgruntled employees taking business critical data with them when they leave the company.
- 87% of small firms experienced a security breach last year
- 93% of large companies experienced a security breach
- 36% of the worst security breaches were caused by inadvertent human error
- 10% of the worst security breaches were caused by deliberate misuse of systems by staff
- 23% of respondents haven’t carried out any form of security risk assessment
- 9% of large organisations had a security or data breach in the last year involving smartphones or tablets
- 4% of respondents had a security or data breach in the last year relating to one of their cloud computing services
- 92% of respondents expect to spend at least the same on security next year (and 47% expect to spend more)