The number of large organizations being hacked into is at a record high; the overall cost of security breaches to UK plcs is now billions of pounds a year, a new survey of 447 UK businesses shows.
In the last year, one in seven large organizations has detected hackers within their systems – the highest level ever recorded since the survey started in the early 1990s. Furthermore, 70% of large organizations have detected significant attempts to break into their networks in the last year, which is another record high.
These are some of the key findings from the 2012 Information Security Breaches Survey (ISBS) by PwC in conjunction with Infosecurity Europe.
On average, each large organization suffered 54 significant attacks by an unauthorized outsider, twice the level in 2010, while 15% of large organizations had their networks successfully penetrated by hackers. The average cost of a large organization’s worst security breach of the year is £110k-£250k and £15k-£30k for a small business.
Apart from hacking, the survey shows that organizations are experiencing many data protection breaches, data loss events and computer frauds, particularly those that haven’t invested in staff education.
The vast majority of respondents had a security breach in the last year: 93% of large organizations and 76% of small businesses. The most serious breaches result from failings in a combination of people, process and technology, showing the importance of investing in all three aspects.
Outsider attacks have increased, especially against large organizations. There is a marked contrast in the average number of breaches suffered by small and large organizations affected. On average a large organizations now faces one attack per week while for small businesses it is one a month and hacking attacks make up the largest single component.
All sectors reported attackers on the Internet trying to impersonate them; financial services and government bodies were hit most, often reporting “phishing” attacks several times a day. Customer impersonation and identity fraud remain high (up threefold from 2008) with all sectors affected but financial services companies have now overtaken retail.
Criminals currently appear to find it easiest to make money by impersonating the customers of banks. One in eleven respondents reported that an outsider had stolen confidential data, with financial services and utilities providers the worst affected.
Despite the prolonged economic slowdown, most organizations have spent more on security this year than in the previous one. On average, organizations spend 8% of their IT budget on information security, and those that suffered a very serious breach were found to spend on average 6.5% of their IT budget on security.
There’s some evidence of complacency setting in among large organizations. Some 12% of businesses say senior management give a low priority to security, while 20% spend less than 1% of their IT budget on information security. A root cause is that it is hard to measure the business benefits from spending money on security defences. Only 20% of large organizations evaluate return on investment on their security expenditure.
“If security is doing its job it goes unnoticed and it’s hard to measure the business benefits, so investment in security often ends up losing out against other competing business priorities,” says Chris Potter, PwC information security partner.
“Whether you are a large company or a small one, the challenge is to make sure the money you spend on security is well targeted – evaluating the effectiveness of your security expenditure is vital if you are to stay ahead of the emerging threats.”