Large organisations in the UK have been hit with an average of 54 cyber attacks over the last year, with 15 percent admitting to have had their networks successfully penetrated by hackers.
In a survey of 447 organisations conducted by PwC, 70 percent of large organisations said they had detected significant attempts to break into their networks, and one in seven detected hackers within their systems – the highest level recorded since the early 90s.
Meanwhile, 15 percent of small businesses were hit by denial of service (DoS) attacks in the last year, according to PwC's 2012 Information Security Breaches Survey (ISBS), carried out in conjunction with Infosecurity Europe and supported by the Department for Business, Innovation and Skills.
The average cost of a large organisation’s worst security breach is between £110,000 and £250,000 and from £15,000 to £30,000 for a small business. Overall, cyber-security breaches have cost UK plc billions of pounds over the last year.
“The UK is under relentless cyber attack,” said PwC information security partner Chris Potter. “Since most businesses now share data with their business partners across the supply chain, these numbers are startling and make uncomfortable reading for business leaders.”
Potter added that, while large organisations are more likely to be targeted by hackers, small businesses tend to have less mature controls, and so may not detect the more sophisticated attacks.
Commenting on the news, Universities and Science Minister David Willetts said it was a timely reminder for UK businesses to make sure their information systems are protected.
“The survey demonstrates why the government is right to be investing £650m to improve cyber security and make the UK one of the safest places to do business in cyberspace,” he said. “We will use the findings to help design a new annual survey of cyber security breaches beginning next year.”
PwC's ISBS report also examines the impact of staff-related breaches such as data protection breaches, data loss events and computer frauds. Overall, 93 percent of large organisations and 76 percent of small businesses admitted to having suffered a security breach in the last year.
The root cause is often a failure to educate staff, particularly within small businesses, said Potter. According to the research, 54 percent of small businesses do not have any programme for educating their staff about security risks, and this often results in organisations being forced to take emergency measures after a breach has occurred.
“Given that most organisations take a lot of action after a breach to tighten up their security, scrimping and saving on security creates a false economy,” he said. “The cost of dealing with breaches and the knee-jerk responses afterwards usually outweigh the cost of prevention.”
In large businesses, there are signs of complacency setting in, according to the report, with 20 percent spend less than one percent of their IT budget on information security – far less than the average of eight percent. This is largely because it is hard to measure the business benefits from spending money on security defences, added Potter.
The Information Commissioner's Office currently has the power to issue fines of up to £500,000 for breaches of the Data Protection Act. Last week both Leicestershire County Council and Toshiba were named and shamed for leaking sensitive data.
Meanwhile, the European Commission plans to issue a single set of rules on data protection that will apply across the whole of the EU. Under the new rules, companies suffering data breaches will have 24 hours to tell the relevant authorities or risk legal action and large fines.
Infosecurity Europe runs from the 24th – 26th April 2012, in Earls Court, London.