InfoSec 2014: Cost Of Serious Security Breaches Almost Doubles In A Year

The number of serious cyber security breaches suffered by UK businesses has decreased in 2014 but their cost has increased dramatically, according to an annual study of the security landscape commissioned by the UK government.

The study also found that small businesses were hit hardest by this new trend, and the majority of respondents were pessimistic, expecting the number of breaches to go up again in the nearest future.

“We as the UK government take very seriously. We pride ourselves on having a particularly large and growing online economy, with the Internet accounting for eight percent of our GDP, so it’s important that we maintain consumer confidence in businesses online, and it’s one of the crucial reasons for our national Cyber Security Strategy,” said David Willets, Minister for Universities and Science who announced the results of the survey at InfoSec 2014 conference.

Dangerous times

According to the Information Security Breaches Survey conducted by PWC, the average cost of the worst breach of the year for a large organisation stood at £450,000 to £850,000 in 2013. But this year it has increased considerably, averaging from £650,000 to £1.15 million.

The situation is even worse for small businesses – in 2013, they paid £35,000 to £65,000 for the worst breach of the year. This year, the costs have grown, with the bill totalling somewhere between £65,000 and £115,000.

At the same time, the number of organisations that were successfully attacked or suffered from data loss has decreased by about five percent and even those organisations which were breached repeatedly reported an improvement over 2013.

Other trends include an increase in malware attacks – the number of large organisations that were infected by viruses or malware has increased from 59 percent to 73 percent, while the Distributed Denial of Service (DDoS) attacks are exactly as popular as they were in 2013.

Sixteen percent of large organisations and four percent of small businesses said they are aware that an outsider had successfully penetrated their network and stolen intellectual property or confidential information in the past year.

Even though cyber security has been gaining more attention in the mainstream media, the coverage of major security breaches like those at Target or Adobe shows “just the tip of the iceberg” – only 30 percent of respondents said they have disclosed their worst breaches to the public.

There have also been some genuinely positive findings – overall investment in security as a portion of IT budget is increasing across all industries, even those that traditionally have very small IT budgets.

The number of staff-related breaches has gone down across all organisations, and the report found that education was key. Seventy percent of companies where security policy was poorly understood had suffered staff-related breaches, versus 41 percent at companies where it was understood well.

The report also highlights an improvement in access to skills and resources – 56 percent of organisations said they feel well-equipped to deal with security threats, versus 53 percent a year ago.

While presenting the findings at InfoSec, Willets said that the UK cyber security market was not just about protecting domestic companies, but also creating security products and services. He congratulated the seven winners of the Severn Valley Cyber Security Launchpad – a start-up initiative run by the Technology Strategy Board – and said that the government was aiming to increase the UK’s cyber security exports to £2 billion a year by 2016.

How well do you know network security? Try our quiz and find out!