In April, the UK Department for Business, Innovation & Skills (BIS) published the 2013 information security breaches survey: technical report. The report comprises the findings from four online questionnaires completed by 1,402 respondents, and contains a number of important cyberattack statistics for both large organizations and small businesses. The results clearly indicate that everyone needs to pay more attention to cybersecurity, as the annual cost of attacks on UK businesses tripled since last year and amounts to billions of pounds.
In the past year, 93% of large organizations suffered security breaches, and no sector or region was immune. Companies experienced around 50% more breaches than last year, with the median number of attacks increasing from 71 to 113, which was in part attributed to technological progress. An increasing number of breaches were traceable to the use of social networking sites, especially if not monitored, to smartphones and tablets. Also, more businesses use cloud computing, with more than three-quarters of respondents admitting to putting confidential or highly confidential data in the cloud.
As companies continue to prioritise information security, an increasing part of an IT budget is spent on security; however, it often does not result in effective defences. Serious security breaches have multiple and complex causes, and in the report, BIS raised concerns that 42% of large organizations do not provide employees with on-going security awareness training, while 23% of companies do not carry out any security risk assessment. Only 30% of large organisations used “The Ten Steps” guidance on cybersecurity issued by the government in 2012, and even among those, implementation was often patchy. More than 14% of large organisations reported they were victims of IP or data loss.
“Failure to invest in preventative controls can be a false economy,” BIS warns in the report, as the average cost of cyberattacks is at an all-time high. Losses from the worst breaches increased substantially, ranging between £450,000-£750,000 GBP, with several individual breaches costing more than £1 million GBP. BIS reports that reputational damage alone can cost large organizations between £25,000-£115,000.
The same trends apply to small businesses. This is noteworthy for large companies, as they may now need to develop a habit of applying due diligence and management programs to ensure cybersafety of their smaller suppliers and service providers, and that should be very important to tech start-ups and app developers. The UK Government has published new cybersecurity guidance for small businesses, which contains simple steps for planning, implementing, and reviewing cyberdefences. Larger organizations may consider minimizing their risk by making sure that all entities they do business with adhere to these standards.