• 18% of UK organisations don’t know how many cyber attacks they suffered last year
• Nearly eight in 10 experienced down-time due to security incidents
• Average number of security incidents faced by UK companies increased by 23% to 5,792
• Incidents now cost an average of £2.6million, up 53% from last year
• Only 28% of UK boards are involved in setting security strategy
• Current employees continue to be top insider risk but increasingly business partners too

UK organisations doubled their information security budgets last year, spending £6.2m on average (2015: £3m), and over one and a half times more than their global counterparts (average spend £3.9m). Despite this, nearly a fifth (18%) don’t know how many cyber-attacks they experienced last year and 17% of all respondents don’t know the likely source of security incidents.

In the week the new National Cyber Security Centre opened in the UK, PwC has published the findings of its latest annual Global State of Information Security Survey 2017, produced in conjunction with CIO and CSO, based on interviews with over 10,000 executives from more than 133 countries, including 479 UK respondents.

With security incidents now costing an organisation an average of £2.6m (up from £1.7m last year, an increase of 53%), executives around the world are waking up to the fact that they can no longer afford to take a passive approach to protecting their assets, leading to the increase in budgets.

Richard Horne, UK cyber security partner at PwC said:

“We’re beginning to see a shift in thinking. Organisations have come to realise that they can’t view cyber security as just a cost or barrier to change given the many high profile incidents we’ve seen recently.

“Getting security right is not only essential to the day-to-day running of a business, but can even be a competitive advantage, help to drive business growth and build brand trust.”

Boards in the UK aren’t getting as involved as other markets either in setting the security budget, or more importantly the strategy. Only a third of UK companies (33%) have the board involved in setting security budgets compared to the 39% global average, and even fewer (28%) partake in the strategy (42.5% globally).

Richard Horne continued:

“Cyber security is far more than just building security controls – it’s about changing your organisation to be securable.

“That requires all aspects of a business to be engaged, to make tough decisions at board level, and embed consideration of cyber security risk in all decision-making processes. 

“It’s not just about having more budget to buy more technology to patch cyber security holes. UK organisations need to take a more strategic approach to how they spend their increased budgets to start to see a real uptick in security posture.”

Not only have the average number of security incidents UK companies faces increased by 23% in the last year to 5,792, but the threat landscape is also changing. The top insider risk and source of incidents for UK organisations continues to be current employees, with former employees a close second, but current service providers, consultants or contractors are increasingly likely to be the cause of cyber threat to a business now too.

It’s also clear that phishing still works to target these groups, with the majority of cyber security breaches reportedly caused by phishing incidents (37%).

Richard Horne continued:

“Instilling a cyber-aware culture in an organisation, and controlling who has access to what information, continues to be of utmost importance. Even with the best technology available on the market, employees can still be your weakest link.

“But when trying to assess your ‘insider’ risk, it’s important to look not only at your internal data, people and processes, but also at the third party relationships closely connected to your business – that is where the threat increasingly lies.”

Security incidents are now costing organisations more and 79% of UK companies have suffered down-time because of them. Despite this, this year’s study showed a decrease in the number of UK companies who are investing in cyber insurance. In the previous study, 59% had a cyber insurance policy, but in the last year this has decreased to only 38% of respondents reporting to have one (and 10% of these don’t even know what it covers), compared to 53% globally.

UK organisations are also more likely than the rest of the world to keep their cards close to their chest and not share security knowledge with others. Only 40% collaborate with others to reduce future risks, compared to over half across Europe (52%) and globally (55%).

Richard Horne concluded:

“UK companies remain wary about sharing security knowledge, but working with partners within a particular industry can significantly improve threat intelligence awareness and an organisation’s ability to spot potential incidents before they escalate.

“The organisations that get their approach to cyber security right are the ones that will prosper, build trusted brands and sustained value.”

Ends.

Notes for editors.

1. The Global State of Information Security® Survey 2017 is a worldwide study by PwC, CIO and CSO. It was conducted online from April 4, 2016, to June 3, 2016. Readers of CIO and CSO and clients of PwC from around the globe were invited via email to take the survey.

2. The results discussed in this report are based on the responses of more than 10,000 executives including CEOs, CFOs, CISOs, CIOs, CSOs, vice presidents, and directors of IT and information security from more than 133 countries. Thirty-four percent (34%) of respondents were from North America, 31% from Europe, 20% from Asia Pacific, 13% from South America, and 3% from the Middle East and Africa. The margin of error is less than 1%. There were 479 UK responses.

For more information please contact Felicity Main: [email protected] / 020 7213 3092 / 07841 467 421.

About CIO

CIO is the content and community resource for information technology executives and leaders thriving and prospering in this fast-paced era of IT transformation in the enterprise.  The award-winning CIO portfolio—CIO.com, CIO magazine (launched in 1987), CIO executive programs, CIO strategic marketing services, CIO Forum on LinkedIn, CIO Executive Council and CIO primary research—provides business technology leaders with analysis and insight on information technology trends and a keen understanding of IT’s role in achieving business goals. Additionally, CIO provides opportunities for IT solution providers to reach this executive IT audience.  CIO is published by IDG Enterprise, a subsidiary of International Data Group (IDG), the world’s leading media, events, and research company. Company information is available at http://www.idgenterprise.com/.

About CSO

CSO is the content and community resource for security decision-makers leading “business risk management” efforts within their organization.  For more than a decade, CSO’s award-winning web site (CSOonline.com), executive conferences, strategic marketing services and research have equipped security decision-makers to mitigate both IT and corporate/physical risk for their organizations and provided opportunities for security vendors looking to reach this audience. To assist CSOs in educating their organizations’ employees on corporate and personal security practices, CSO also produces the quarterly newsletter Security Smart. CSO is published by IDG Enterprise, a subsidiary of International Data Group (IDG), the world’s leading media, events and research company. Company information is available at www.idgenterprise.com.

Ends.