Security breaches a monthly headache for firms, deliberate targeting on the rise, cost of cleaning up doubles
According to the 2015 Information Security Breaches Survey report commissioned by the UK government, 90 percent of large organisations reported suffering a security breach last year, up from 81 percent the year before. Three-quarters of small organisations said they had suffered a breach in 2014, up from 60 percent the year before.
The average large company had 14 security breaches last year - more than one per month - while smaller companies reported a lower level, at just four over a year.
Virus attacks were the most common type of security issue, reported by 81 percent of large companies. But over half (57 percent) had been targeted by phishing attempts, a third (37 percent) had seen a denial of service attack, and nearly one in four (24 percent) said their networks had been breached by hackers.
"Considering all breaches, there was a noticeable 38 percent year-on-year increase of unauthorised outsider attacks on large organisations, which included activities such as penetration of networks, denial of service, phishing and identity theft," the report noted.
Businesses are pessimistic about their abilities to keep crooks out: over half expected to see more breaches in future.
The annual report, compiled by PWC, is a widely quoted snapshot of the security threats facing UK businesses.
The study also found the average cost of the worst single breach suffered by the organisations surveyed has gone up sharply. For companies employing over 500 people, the cost of the breach - including business disruption, lost sales, recovery of assets, fines, and compensation - ranged from £3.14m to £1.46m on average. Last year, the range was £1.15m to £600,000. For smaller firms, the range is from £310,800 to £75,200; up from £115,000 to £65,000 for the prior year.
To illustrate the costs, the survey presented a number of anonymous case studies including a "medium sized technology company with UK operations" which found its systems infected malware after an employee used a company laptop to download files from peer-to-peer website. "It had a serious impact on business operations as it took over a week to recover. Over £100,000 in revenue was lost as a result of the incident and over £250,000 was spent on addressing the breach," the report said.
But for all this increasing sophistication of hackers trying to get in from the outside, the biggest threat still comes from within the organisation itself or its suppliers.
When questioned about the single worst breach they had suffered, half of all organisations attributed it to 'inadvertent human error', compared to 'organised crime' which was reported as being responsible for 23 percent of incidents (no one admitted to being hacked by rival companies or by intelligence agencies).
Perhaps unsurprisingly, companies of all sizes continue to spend more on IT security: 44 percent of businesses increased their security spending last year, and 46 percent of large businesses expect to do it again this year - while only seven percent of smaller ones said the same.
More on security
- The undercover war on your internet secrets: How online surveillance cracked our trust in the web
- Inside the secret digital arms race: Facing the threat of a global cyberwar
- The impossible task of counting up the world's cyber armies
- Encryption: More and more companies use it, despite nasty tech headaches