Large number of UK companies still in the dark on security breaches – PwC report

Published at 00:01 AM on 01 October 2014

  • Nearly 10% of UK companies don’t know how many security breaches they have suffered in the last 12 months
  • Almost a quarter have not detected any security breaches in the past year
  • 55% plan to increase spending on information security this year but 38% will spend the same or less, compared with 28% globally
  • Most breaches are due to staff rather than outsiders

UK companies are suffering more cyber security incidents than their global counterparts but are falling behind others in detecting them. According to the latest Global State of Information Security report by PwC, 69% of companies experienced a security incident in the UK in the past 12 months, compared to 59% globally.

PwC interviewed 9,805 executives from more than 154 countries, including over 475 from the UK, across all industries, in the annual report that looks at the challenges faced by companies in protecting their businesses and their assets from cyber security incidents.

The number of reported security incidents around the world rose 48% to 42.8million, the equivalent of 117,339 attacks per day in 2013, according to the survey released by PwC in conjunction with CIO and CSO magazines.

Worryingly, over 22% of the UK companies surveyed say they did not detect any security incidents in the past year, compared with 16% globally and 18% in Europe. Further, 8% of UK businesses say they do not know how many security breaches they have had in the last 12 months.

Whilst 55% of UK companies say they plan to spend more on security this year, compared with 42% last year, a further 33% of companies report their spending will stay the same. The rest either plan to cut back on spend or don’t know what they will do.

By contrast, there is more uncertainty overseas about security spending, with 18% of US companies saying they do not know what they plan to spend in the year ahead.

Leadership is cited by 30% of respondents as the biggest obstacle to improving the overall effectiveness of the security function. Over a quarter of respondents (29%) do not think there is a senior executive who proactively communicates the importance of information security, up from last year.

UK respondents say the top three obstacles to improving security are: insufficient capital funding, a lack of leadership from the CEO or Board, and the lack of an effective information strategy. On a positive note, 42% of UK respondents say their boards are engaged with the overall security strategy, compared with 37% of US interviewees.

Richard Horne, cyber security partner at PwC, said:

“A sizeable minority of UK businesses are underestimating the scale of the problem they face. Information security incidents are a fact of life, and a critical element of defence is the ability to detect and respond to incidents quickly before they have an impact on business. The fact that nearly a third of UK businesses either has not detected a security incident or knows that they are in the dark suggests that more attention is needed across the UK economy to protect our businesses.

 “The increasing spend on information security is welcome but securing digital assets has to be embedded in the DNA of all organisations. That requires leadership and a clear strategy, which again appears to be missing in nearly a third of businesses. It is encouraging that there is better board-level engagement with security strategy and spending, and that the UK is ahead of the US in that regard, but more needs to be done.

 “Cyber threats continue to evolve and no organisation can stand still. Businesses in all sectors need to prepare and refine their defences – and respond to breaches – against incredibly sophisticated attacks. This is a risk that can be managed, but it requires continual focus, leadership and commitment – not just to prevent breaches but also to detect and respond to incidents rapidly when they happen.”

The impact of security breaches has continued to affect business. Over a quarter of UK respondents say customer and employee records have been compromised; over 22% have suffered the theft of intellectual property; and 20% have suffered financial losses. In total, 70% of UK companies say they experienced some business down time as a result of security incidents this year. 59% experienced up to 24 hours of down time.

Cyber insurance is one area where companies can look to protect themselves from theft or misuse of data. Over half of UK companies have cyber insurance but another 17% do not know whether they have any cyber insurance policies in place. UK companies have been less proactive at claiming against their policies, with 34% making claims compared with 48% globally.

Finally, insiders, particularly current or former employees, are cited as a major source of security incidents by most respondents. Hackers and competitors are cited by fewer respondents as the source of outside security incidents.

Grant Waterfall, cyber security partner at PwC, said:

“The results indicate that awareness of cyber security risk in the UK is improving. We're seeing the benefit of a number of Government and private sector initiatives. Although there is still some way to go, the focus for many organisations must now shift from awareness to action."

Finally, the survey reports that UK companies have embraced initiatives to address risks from mobile security, following the trend for employees to use smart phones and tablets seamlessly between work and home, but they are still not as good at implementing controls as they should be given the increasing trend in ‘bring your own device’ (BYOD). Over 56% have mobile security strategies – higher than the global figure – but 18% say they do not have any controls.



Notes to Editors


The Global State of Information Security® Survey 2015 is a worldwide study by PwC, CIO and CSO. It was conducted online from March 27, 2014 to May 25, 2014. Readers of CIO and CSO and clients of PwC from around the globe were invited via e-mail to take the survey. The results discussed in this report are based on responses of more than 9,700 CEOs, CFOs, CIOs, CISOs, CSOs, VPs, and directors of IT and security practices from more than 154 countries. Thirty-five percent of respondents are from North America, 34 percent from Europe, 14 percent from Asia Pacific, 13 percent from South America, and four percent from the Middle East and Africa. The margin of error is less than one percent.


About CIO and CSO

CIO is the premier content and community resource for information technology executives and leaders thriving and prospering in this fast-paced era of IT transformation in the enterprise. The award-winning CIO portfolio—, CIO magazine (launched in 1987), CIO executive programs, CIO marketing services, CIO Forum on LinkedIn and CIO primary research—provides business technology leaders with analysis and insight on information technology trends and a keen understanding of IT’s role in achieving business goals. Additionally, CIO provides opportunities for IT solution providers to reach this executive IT audience. CIO is published by IDG Enterprise, a subsidiary of International Data Group (IDG), the world’s leading media, events, and research company. Company information is available at


CSO is the premier content and community resource for security decision-makers leading “business risk management” efforts within their organization. For more than a decade, CSO’s award-winning Web site (, executive conferences, marketing services and research have equipped security decision-makers to mitigate both IT and corporate/physical risk for their organizations and provided opportunities for security vendors looking to reach this audience. To assist CSOs in educating their organizations’ employees on corporate and personal security practices, CSO also produces the quarterly newsletter Security Smart. CSO is published by IDG Enterprise, a subsidiary of International Data Group (IDG), the world’s leading media, events and research company. Company information is available at


The Global State of Information Security® is a registered trademark of International Data Group, Inc.


About PwC

PwC firms help organisations and individuals create the value they’re looking for. We’re a network of firms in 158 countries with over 180,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at


‘PwC’ is the brand under which member firms of PricewaterhouseCoopers International Limited (PwCIL) operate and provide services. Together, these firms form the PwC network. Each firm in the network is a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of their professional judgment or bind them in any way.


2014 PricewaterhouseCoopers. All rights reserved







About PwC

At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 208,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at

PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see for further details. © 2016 PwC. All rights reserved

« GDP figures - PwC chief economist comments | Homepage | PwC invests in 800 new jobs in Northern Ireland »

  • Contact us
  • +44 (0) 20 7213 1768

Specific and out of hours contacts