Key Observations in the Information Security Breaches Survey Report 2015
The UK Government has released their report based on this year’s Information Security Breaches Survey. The report, prepared by PWC on behalf of the Department for Business Innovation and Skills, details the findings of a survey of UK companies on information breaches, cyber security incidents and emerging trends. Here are our key observations from the report.
Security Breaches Levels Rising
The report shows that information security breaches are on the increase with 90% (81% – 2014) of large organisations* and 74% (60% – 2014) of small businesses** reporting a breach.
Sources of Cyber Attacks – External and Internal Human Factors
69% (55% – 2014) of larger organisations reported malicious attacks from unauthorised outsiders while only 38% (33% – 2014) of small businesses shared the same fate.
Even though outside attacks are often the most publicised form of a cyber security breach, breaches due to human error (e.g. not locking computers when away from desks, failing to follow protocols, accidently emailing confidential information to competitors, etc.) are also on the rise. 75% (58% – 2014) of large organisations and 31% (22% – 2014) small organisations reported a staff-related security breach. Obviously, organisations with more employees are likely to report a greater number of staff breaches even though the ratio of breaches per employee may be less due to greater controls, training and investment in IT security.
The report also identified that hackers are taking advantage of human error through targeting ‘privileged users.’ A ‘privileged user’ is someone who has access to confidential data such as passwords to secure databases and emails regarding business functions, and is often a manager, director or owner. Whilst the report did not cover this point it is worth speculating whether some individuals in these positions believe IT security rules are for the staff and not them?
Costs of Security Breaches for Businesses
The survey also asked organisations to note the cost of their worst single breach and the results were shocking. For large organisations the range was £1.46m to £3.14m (£600k to £1.15m – 2014); for small businesses the range was £75k to £311k (£65k to £115k – 2014).
The ‘cost’ of a loss included business disruption, lost sales, recovery of assets, fines and compensation.
How are Businesses Understanding and Managing Security Risks?
The report, as one would expect, notes the majority of those asked (72% large and 63% small) have increased the amount of security awareness training to their front line staff.
Surprisingly, 14% of all respondents noted they have never briefed their board on information security risks. At the other end of the scale 82% said that senior management place a high or very high priority on information security.
Unsurprisingly though, 72% of companies ‘where the IT security policy was poorly understood’ had suffered staff-related breaches.
In spite of the increasing cost and number of breaches the report noted that only 44% of all organisations were spending more on information security during the last year. With only 7% of small organisations and 46% of large expecting to spend more during the next 12 months.
Lastly, the vast majority of organisations reported they do not hold cyber insurance to offer assistance in managing and protecting against the costs if there is a data security breach
To see how Cooke & Mason can help you with the latest insurance solutions, please speak to your usual Cooke & Mason contact or, if you are not a Cooke & Mason client, click here
If you would like to read the full report please click here
Notes: * and ** – The report notes large organisations have more than 250 employees and small businesses less than 50 employees separately.
The results for medium-sized businesses, 50-249 employees, tend to be similar to those of small businesses unless otherwise noted.