Cost of business cyber security breaches almost double
Published at 10:09 AM on 29 April 2014
The number of information security breaches affecting UK businesses has decreased over the last year but the scale and cost of individual breaches has almost doubled.
The Information Security Breaches Survey 2014, commissioned by the Department for Business, Innovation and Skills (BIS) and carried out by PwC, found that eighty-one per cent of large organisations suffered a security breach, down from eighty-six per cent a year ago. Sixty per cent of small businesses reported a breach, down from sixty-four per cent in 2013.
Although organisations are experiencing fewer breaches overall, the severity and impact of attacks has increased, with the average cost of an organisations’ worst breach rising significantly for the third consecutive year. For small organisations the worst breaches cost between £65,000 and £115,000 on average and for large organisations between £600,000 and £1.15 million.
The majority of businesses have increased IT security investment over the last year.
Universities and Science Minister David Willetts said:
"These results show that British companies are still under cyber attack. Increasingly those that can manage cyber security risks have a clear competitive advantage.
“Through the National Cyber Security Programme, the government is working with partners in business, academia and the education and skills sectors to equip the UK with the professional and technical skills we need for long-term economic growth.”
Andrew Miller, cyber security director at PwC, said:
“Whilst the number of breaches affecting UK business has fallen slightly over the past year the number remains high and in many companies more needs to be done to drive true management of security risks.
“Breaches are becoming more sophisticated and their impact more damaging. Given the dynamic nature of the risk, boards need to be reviewing threats and vulnerabilities on a regular basis. As the average cost of an organisation’s worst breach has increased this year, businesses must make sure that the way they are spending their money in the control of cyber threats is effective. Organisations also need to develop the skills and capability to understand how the risk could impact their organisation and what strategic response is required.”
Seventy per cent of companies that have a poor understanding of security policy experienced staff related breaches, compared to only forty-one per cent in companies where security is well understood. This suggests that communicating the security risks to staff and investing in ongoing awareness training results in fewer breaches.
The survey also found that there has been an increase in the number of businesses which are confident that they have the skills required within their organisations to detect, prevent and manage information security breaches – up to fifty-nine per cent from fifty-three per cent last year.
Ensuring that we have the cyber skills capability to meet the evolving needs of businesses is a key objective of the UK’s National Cyber Security Strategy. Earlier this year, the government unveiled a raft of new proposals to meet the increasing demand for cyber security skills. These include a new higher-level apprenticeship, special learning materials for 11 to 14-year-olds and plans to train teachers to teach cyber security.
Earlier this year the government launched a new scheme to help businesses stay safe online. Cyber Essentials provides clarity to organisations on what good cyber security practice is and sets out the steps they need to follow, to manage cyber risks. From this summer organisations that have complied with the best practice recommendations will be able to apply to be awarded the Cyber Essentials Standard. This will demonstrate to potential customers that businesses have achieved a certain level of cyber security and take it seriously.
David Willetts will talk about the results of the survey in his speech at the Infosecurity Europe conference at Earls Court, London later today. He will also unveil the seven companies that have been identified as leaders in developing new techniques to protect data from criminals. They will benefit from £500,000 to carry out research and development projects as part of the Technology Strategy Board’s (TSB) cyber launchpad competition.
Notes to Editors
1. In the survey small businesses are those with one to 50 employees, and large businesses are those with more than 250 employees.
2. The 2014 Information Security Breaches Survey (ISBS) was commissioned by BIS and carried out by PwC in conjunction with Infosecurity Europe and Infosecurity Magazine. The results will be announced on
3. This annual survey is carried out to increase understanding and transparency of the cyber security landscape in the UK. The survey is anonymous, enabling government and businesses to benefit from accurate information on the cyber risks that businesses are facing, and how businesses are managing them.
4. This guidance has been tailored to meet the needs of small businesses and helps them to understand and deal with cyber risk. It follows on from the "10 Steps to Cyber Security" guidance released by HM Government in September 2012, which was aimed at larger businesses and encouraging them to make cyber security a Board level responsibility. Copies are available from the BIS press office.
5. BIS carries out this work under the National Cyber Security Programme which in turn delivers the UK Cyber Security Strategy, a key objective of which is to tackle cyber crime and make the UK one of the most secure places in the world to do business in cyberspace.
6. PwC firms help organisations and individuals create the value they’re looking for. We’re a network of firms in 158 countries with over 180,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at
www.pwc.com. ‘PwC’ is the brand under which member firms of PricewaterhouseCoopers International Limited (PwCIL) operate and provide services. Together, these firms form the PwC network. Each firm in the network is a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of their professional judgment or bind them in any way.
7. More information about the Technology Strategy Board’s cyber launchpad competition can be found at
8. For further information please contact Nicola Thorogood on 020 7804 6007 /
9. The government’s economic policy objective is to achieve ‘strong, sustainable and balanced growth that is more evenly shared across the country and between industries’.
At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 208,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com.
PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. © 2016 PwC. All rights reserved