« Consumers would trade state pension for retirement flexibility. | Main | PwC warns of “two-speed recovery” as economic performance accelerates »

29 April 2014

Cyber security costs soar as businesses challenge hackers and attackers

The number of cyber-attacks on UK firms has fallen slightly over the past year, but the scale of attacks and the subsequent cost, is soaring

That’s according to the Information Security Breaches Survey 2014, commissioned by the Department for Business, Innovation and Skills (BIS) and undertaken by PwC.

The 2014 survey found that found that, across the UK, 81% of large organisations (having more than 250 employees) had suffered a security breach, down from 86% a year ago. Some 60% of small businesses (employing fewer than 50) also reported a breach, down from 64% in 2013.

The majority of businesses have increased IT security investment over the last year and this may in part account for the small decline in successful security breaches. However one-in-ten undertakings were so badly damaged by cyber-attacks they had to change the nature of their business.

The survey, which included Northern Ireland, found that organisations, regardless of size, experienced five main security breaches, with the average small firm experiencing some form of cyber-attack or breach every eight weeks.

Large organisations were successfully attacked on average 16 times over the past year, with small organisations attacked on average 6 times, with the main breaches over the past 12 months being:

  1. Virus or malicious software infection - 73% of large and 45% of small organisations.
  2. Attack by unauthorised outsider(s) - 55 % large and 33% small organisations.
  3. Denial of service attacks – 38% large and 16% small organisations.
  4. Network penetration by outsider(s) - 24% large and 12% small organisations.
  5. Intellectual property/confidential data theft - 16% large and 4% small organisations

Although organisations are experiencing fewer breaches overall, the severity and impact of attacks has increased, with the average cost of an organisations’ worst breach rising significantly for the third consecutive year.

For small organisations the worst breaches cost between £65,000 and £115,000 on average each, and for large organisations the worst breaches cost between £600,000 and £1.15 million.

Commenting on the 2014 survey, Universities and Science Minister David Willetts said:

"These results show that UK companies are still under cyber-attack. Increasingly those that can manage cyber security risks have a clear competitive advantage.

“Through the National Cyber Security Programme, the government is working with partners in business, academia and the education and skills sectors to equip the UK with the professional and technical skills we need for long-term economic growth.”

Security breaches related to staff, whether caused through ignorance, human error or malice, also fell this year to 58% for large organisations (from 73% a year ago) and to 22% for small undertakings (down from 41% a year ago).

However, the authors found that nearly a third (31%) of the worst security breaches this year were caused by human error, with a further 20% due to deliberate misuse of systems by staff.

70% of companies that admitted having a poor understanding of security policy experienced staff related breaches, compared to only 41% in companies where security is well understood.

This suggests that communicating the security risks to staff and investing in ongoing awareness training results in fewer breaches.

Andrew Miller, cyber security director at PwC, said:

“Whilst the number of breaches affecting UK business has fallen slightly over the past year the number remains high and in many companies more needs to be done to drive true management of security risks.

“Breaches are becoming more sophisticated and their impact more damaging and given the dynamic nature of the risk, boards need to be reviewing threats and vulnerabilities on a regular basis.

“As the average cost of an organisation’s worst breach has increased this year, businesses must make sure that the way they are spending their money in the control of cyber threats is effective. 

“Organisations also need to develop the skills and capability to understand how the risk could impact their organisation and what strategic response is required.”

The survey also found that there has been an increase in the number of businesses confident of possessing the skills required to detect, prevent and manage information security breaches – up to 59% from 53% last year.

Earlier this year, the government unveiled a raft of new proposals to meet the increasing demand for cyber security skills. These include a new higher-level apprenticeship, special learning materials for 11 to 14-year-olds and plans to train teachers to teach cyber security.

The government has also launched a new scheme to help businesses stay safe online. Cyber Essentials provides clarity to organisations on what good cyber security practice is and sets out the steps they need to follow, to manage cyber risks.

From this summer organisations that have complied with the best practice recommendations will be able to apply to be awarded the Cyber Essentials Standard. This will demonstrate to potential customers that businesses have achieved a certain level of cyber security and take it seriously.

Download 2014 ISBS Executive Summary

Contact details

Email: John Compton

Tel: +44 (0)28 9041 5663