·         One in seven large organisations has been hacked in the last year

·         The average large organisations face a significant outsider attack every week - small businesses face one a month

·         20% of organisations spend less than 1% of their IT budget on information security

·         Customer impersonation up threefold since 2008 – financial services affected most

 

The number of large organisations being hacked into is at a record high; the overall cost of security breaches to UK plc is now billions of pounds a year, a new survey of 447 UK businesses shows.

In the last year, one in seven large organisations has detected hackers within their systems – the highest level ever recorded since the survey started in the early 1990s.  Furthermore, 70% of large organisations have detected significant attempts to break into their networks in the last year, which is another record high. 

These are some of the key findings from the 2012 Information Security Breaches Survey (ISBS) by PwC in conjunction with Infosecurity Europe and supported by the department for Business, Innovation and Skills. The results were revealed today at Infosecurity Europe, Europe's premier information security event.

On average, each large organisation suffered 54 significant attacks by an unauthorised outsider, twice the level in 2010, while 15% of large organisations had their networks successfully penetrated by hackers.  The average cost of a large organisation’s worst security breach of the year is £110k-£250k and £15k-£30k for a small business.

Chris Potter, PwC information security partner, said:

 

“The UK is under relentless cyber attack and hacking is a rising risk to businesses.    The number of security breaches large organisations are experiencing has rocketed and as a result, the cost to UK plc of security breaches is running into billions every year. Since most businesses now share data with their business partners across the supply chain, these numbers are startling and make uncomfortable reading for business leaders.

“Large organisations are more visible to attackers, which increases the likelihood of an attack on their IT systems. They also have more staff and more staff-related breaches which may explain why small businesses report fewer breaches than larger ones.  However, it is also true that small businesses tend to have less mature controls, and so may not detect the more sophisticated attacks.”

Apart from hacking, the survey shows that organisations are experiencing many data protection breaches, data loss events and computer frauds, particularly those that haven’t invested in staff education.  The vast majority of respondents had a security breach in the last year: 93% of large organisations and 76% of small businesses.  The most serious breaches result from failings in a combination of people, process and technology, showing the importance of investing in all three aspects. 

Outsider attacks have increased, especially against large organisations.  There is a marked contrast in the average number of breaches suffered by small and large organisations affected.  On average a large organisations now faces one attack per week while for small businesses it is one a month and hacking attacks make up the largest single component.

All sectors reported attackers on the Internet trying to impersonate them; financial services and government bodies were hit most, often reporting “phishing” attacks several times a day. Customer impersonation and identity fraud remain high (up threefold from 2008) with all sectors affected but financial services companies have now overtaken retail.  Criminals currently appear to find it easiest to make money by impersonating the customers of banks.  One in eleven respondents reported that an outsider had stolen confidential data, with financial services and utilities providers the worst affected.

Despite the prolonged economic slowdown, most organisations have spent more on security this year than in the previous one.  On average, organisations spend 8% of their IT budget on information security, and those that suffered a very serious breach were found to spend on average 6.5% of their IT budget on security.  There’s some evidence of complacency setting in among large organisations.  Some 12% of businesses say senior management give a low priority to security, while 20% spend less than 1% of their IT budget on information security.  A root cause is that it is hard to measure the business benefits from spending money on security defences. Only 20% of large organisations evaluate return on investment on their security expenditure.

Chris Potter, PwC information security partner, said:

“Organisations that suffered a very serious breach during the year spent slightly below the overall average on security.  The key challenge is to evaluate and communicate the business benefits from investing in security controls. Otherwise, organisations end up paying more overall.  Given that most organisations take a lot of action after a breach to tighten up their security, scrimping a saving on security creates a false economy.  The cost of dealing with breaches and the knee-jerk responses afterwards usually outweigh the cost of prevention. 

“If security is doing its job it goes unnoticed and it’s hard to measure the business benefits, so investment in security often ends up losing out against other competing business priorities. Whether you are a large company or a small one, the challenge is to make sure the money you spend on security is well targeted – evaluating the effectiveness of your security expenditure is vital if you are to stay ahead of the emerging threats.”

ENDS

 Contacts:

 Chris Potter, partner, PwC

Tel: 020 7212 3640, Mobile: 07808 783279, Email: This email address is being protected from spambots. You need JavaScript enabled to view it. 

 Elizabeth Faulkner, media relations, PwC

Tel: 0207 213 1018, Mobile: 07877 758 609, Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

 Neil Stinchcombe, PR, InfoSecurity Europe

Tel: 0207 183 2833, Mobile: 07947 613 303, Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

 Notes to Editor: 

 1.      Survey methodology

 The survey findings are based on responses from security professionals in 447 UK and Channel Islands organisations spread across all industry sectors, of which roughly a fifth were from the public sector

2.     About Infosecurity Europe

Infosecurity Europe is Europe’s number one information security event, featuring over 300 exhibitors and visitors from every segment of the industry. Organised by Reed Exhibitions, the world’s largest tradeshow organiser, Infosecurity Europe runs from the 24th – 26th April 2012, in Earls Court, London. For further information please visit www.infosec.co.uk

3.     About PwC and information security

Our security practice, spanning across our global network, has more than 30 years experience, with over 200 information security professionals in the UK and 3,500 globally. Our integrated approach recognises the multi-faceted nature of information security and draws on specialists in process improvement, value management, change management, human resources, forensics, risk, and our own legal firm. PwC has gained an international reputation for its technical expertise and strong security skills in strategy, design, implementation and assessment services.

4.     About PwC

PwC firms help organisations and individuals create the value they’re looking for.  We’re a network of firms in 158 countries with close to 169,000 people who are committed to delivering quality in assurance, tax and advisory services.  Tell us what matters to you and find out more by visiting us at www.pwc.com.

"PwC" is the brand under which member firms of PricewaterhouseCoopers International Limited (PwCIL) operate and provide services. Together, these firms form the PwC network. Each firm in the network is a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of their professional judgment or bind them in any way.

2012 PricewaterhouseCoopers. All rights reserved.