After declining in number for the last few years, a new wave of security breaches is hitting UK organisations, costing them billions of pounds, despite the fact that security remains high on management's agenda and the recession has not dampened spending on security, according to a survey released today by PricewaterhouseCoopers LLP (PwC) at Infosecurity Europe.
Technology has continued to evolve rapidly through greater use of cloud computing and social networks, and public and private sector organisations appear to have a greater understanding of security risks and the need for assurance over them. However, most are ill-prepared to deal with them. These are among the key findings of the 2010 Information Security Breaches Survey (ISBS) commissioned by Infosecurity Europe and written by PricewaterhouseCoopers LLP. They were revealed at the annual Infosecurity Europe show in London today.
Chris Potter, partner, OneSecurity, PricewaterhouseCoopers LLP, commented:
“Almost half the organisations we polled told us they had increased their expenditure on information security in the last year and roughly the same number said they expected to spend more on it next year. At the same time most organisations (82% of large ones and 75% of smaller ones) assess information security risks now, compared to just 48% who did so in 2008. So organisations are getting better at understanding security risks in a changing business environment where a large majority of them are relying increasingly on external services hosted over the internet.
“However, this focus is not translating into fewer breaches of security; in fact the number has risen to well over double what it was two years ago and has reached record levels for all sizes of organisation. All types of breach were on the increase and a conservative estimate is that the total cost of breaches to UK business in billions of pounds is now well into double figures.”
Compared with two years ago when a comparable survey was carried out by PwC, there has been a dramatic reversal of the declining trend in security breaches. Whereas 35% of those polled in 2008 said they had had a malicious security breaches in the previous year, this time round the figures were 90% for large organisations (more than 250 employees) and 74% for small ones(up to 25 employees).
At the same time the average number of breaches and cost were also up on two years ago. Smaller businesses averaged 11 (six in 2008) breaches with their worst incident of the year costing up to £55 000 (about R620 000) (£20 000) (about R224 000) on average, while larger ones averaged 45 breaches (15) with the worst incident costing up to £690 000 (about R7.75 million) (£170 000) (about R1.9 million) each.
Most respondents were pessimistic about the future with 56% of large organisations and 43% of smaller ones expecting more incidents next year, back to levels last recorded in 2006.
Andrew Beard, director, OneSecurity, PricewaterhouseCoopers LLP, commented:
“Part of the solution to ensure better security is encrypting data and we see that there has been huge improvements in this area with regard to laptops, USB sticks and other removable media. But educating people is just as important and more companies than ever before now have a security policy, although only 19% of respondents from large organisations believed their policy is very well understood by staff. The root cause of this is that investment in security awareness training, while on the increase, is still often inadequate.”
Larger organisations are being bombarded with attacks:
Protecting customer information remains the highest driver for security expenditure but an increasing number of serious confidentiality breaches were reported. Among large organisations 46% said they had had staff lose or leak confidential data, while 45% of confidentiality breaches were very or extremely serious (the equivalent figure for other breaches was just 15%).
Source: PricewaterhouseCoopers
