PwC: Cost of security breaches triples in two years for UK firms

A record number of security breaches is costing UK firms billions of pounds, according to a new survey from PricewaterhouseCoopers (PwC).

An average security breach costs a large UK firm in the range of £280,000 and £690,000, according to a biennial survey, conducted by Pricewaterhouse Coopers. This is a massive jump from between £90,000 to £170,000 in 2008, when the survey was last conducted.

The Information Security Breaches Survey, presented at InfoSecurity Europe 2010, found that after declining in number for the last few years, an influx of security breaches is hitting UK organisations.

In PwC’s 2008 survey, just 35 percent said they had experienced a malicious security breach in the previous year. This year, 92 percent of firms with more than 250 employees, and 83 percent of smaller firms, with up to 25 employees, said they had recorded a security incident in the last year. These figures had increased from 72 percent and 45 percent respectively in the 2008 study. Fifteen percent of large companies said their IT assets have been accessed by an unauthorised outsider in the last 12 months and 25% had suffered a denial of service attack – double the number logged in 2008.

Chris Potter, partner in OneSecurity at PwC, said: “The number [of security breaches] has risen to well over double what it was two years ago and has reached record levels for all sizes of organisation. All types of breach were on the increase and a conservative estimate is that the total cost of breaches to UK business in billions of pounds is now well into double figures.”

As web-based working has increased, so too have the associated risks, according to this year's report. The 2010 report found that 85 percent of businesses use a wireless network, double the number in 2008 (42 percent). In addition, 47% use voice over Internet protocol (VoIP) telephony (up from 17 percent), while 34 percent are “critically” dependent on cloud computing models, where externally hosted software services are accessed over the internet. A total 539 organisations responded to the survey, and respondents were typically security professionals.

PwC also found that firms’ adoption of security controls is lagging behind its adoption of new technology. Although security remained a high priority for 77 percent of businesses’ senior management, this had fallen from 81 percent in 2008. Moreover, 90 percent had maintained or increased their security expenditure last year, compared with 94 percent in 2008.

Compared with 2008, the average number of breaches and cost had also increased. Small businesses this year had an average 11 breaches, with the worst incident costing an average £55,000. This was up from six breaches and an average cost of £20,000 in 2008. Meanwhile, larger firms averaged 45 breaches, three times more than the number in 2008 (15).

Attacks on large firms had more than doubled in most types of breaches. For example, 61 percent detected a significant attempt to break into their network, up from 31 percent two years ago. Also, 62 percent of large firms were infected by a virus or malicious software in the last year, compared to 21 percent in 2008. Small firms were similarly affected, with three times as many of them infected by viruses as in 2008.

It is probably no surprise then that the majority of respondents, 56 percent of large firms and 43 percent of small firms, expect even more incidents next year, which would be a return to 2006 levels. Only 16 percent expect fewer security incidents next year.

However, PwC said they were encouraged by the fact that the number of firms with a formal security policy (90 percent, compared with 88 percent in 2008) was higher than ever, but found that firms are still struggling to spread the message. Just over half of large firms, 52 percent, provide training for staff on security, although this is significantly higher than the number two years ago (26 percent).

Andrew Beard, director of OneSecurity at PwC, said: “Part of the solution to ensure better security is encrypting data and we see that there has been huge improvements in this area with regard to laptops, USB sticks and other removable media.

"But educating people is just as important and more companies than ever before now have a security policy, although only 19% of respondents from large organisations believed their policy is very well understood by staff. The root cause of this is that investment in security awareness training, while on the increase, is still often inadequate."

Webroot also reported similar findings to those of PwC in its survey of businesses in the UK, US and Australia.

Copyright © 2010 IDG Communications, Inc.

Shop Tech Products at Amazon