Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

PwC

Cost of business cyber security breaches almost double

Information security breaches affecting UK business have decreased over the last year but the cost of individual breaches has almost doubled. 

The number of information security breaches affecting UK businesses has decreased over the last year but the scale and cost of individual breaches has almost doubled. 

The Information Security Breaches Survey 2014, commissioned by the Department for Business, Innovation and Skills (BIS) and carried out by PwC, found

  • 81% of large organisations suffered a security breach, down from 86% a year ago
  • 60% of small businesses reported a breach, down from 64% in 2013

Although organisations are experiencing fewer breaches overall, the severity and impact of attacks has increased, with the average cost of an organisations’ worst breach rising significantly for the third consecutive year. For small organisations the worst breaches cost between £65,000 and £115,000 on average and for large organisations between £600,000 and £1.15 million.

The majority of businesses have increased IT security investment over the last year

Universities and Science Minister David Willetts said:

These results show that British companies are still under cyber attack. Increasingly those that can manage cyber security risks have a clear competitive advantage. Through the National Cyber Security Programme, the government is working with partners in business, academia and the education and skills sectors to equip the UK with the professional and technical skills we need for long-term economic growth.”

Andrew Miller, cyber security director at PwC, said:

Whilst the number of breaches affecting UK business has fallen slightly over the past year the number remains high and in many companies more needs to be done to drive true management of security risks. Breaches are becoming more sophisticated and their impact more damaging. Given the dynamic nature of the risk, boards need to be reviewing threats and vulnerabilities on a regular basis. As the average cost of an organisation’s worst breach has increased this year, businesses must make sure that the way they are spending their money in the control of cyber threats is effective. Organisations also need to develop the skills and capability to understand how the risk could impact their organisation and what strategic response is required.”

70% of companies that have a poor understanding of security policy experienced staff related breaches, compared to only 41% in companies where security is well understood. This suggests that communicating the security risks to staff and investing in on going awareness training results in fewer breaches.

The survey also found that there has been an increase in the number of businesses which are confident that they have the skills required within their organisations to detect, prevent and manage information security breaches, up to 59% from 53% last year.

Ensuring that we have the cyber skills capability to meet the evolving needs of businesses is a key objective of the UK’s National Cyber Security Strategy. Earlier this year (2014), the government unveiled a raft of new proposals to meet the increasing demand for cyber security skills. These include a new higher-level apprenticeship, special learning materials for 11 to 14 year-olds and plans to train teachers to teach cyber security.

Earlier this year (2014) the government launched a new scheme to help businesses stay safe online. Cyber Essentials provides clarity to organisations on what good cyber security practice is and sets out the steps they need to follow, to manage cyber risks. From this summer (2014) organisations that have complied with the best practice recommendations will be able to apply to be awarded the Cyber Essentials Standard. This will demonstrate to potential customers that businesses have achieved a certain level of cyber security and take it seriously.

The press release can be found here

Advertisements

Combating Cybercrime to Protect Organisations

PWC have released their annual Cybercrime report, “Cybercrime: protecting against the growing threat – Global Economic Crime Survey“, and as usual it makes very scary reading.

The report shows that crime is up and those organisations have been slow to react to the threats. Threats that were highlighted in previous reports.

Organisations of all sizes need to improve their abilities to protect their sensitive data and the report focuses on several area that need addressing, for example awareness of the threats in senior management and training for employees in how to spot crime and how to take the appropriate steps to react to the incident (Incident Response Planning…).

There needs to be adequate protection in the form of technology, procedures and policies for the proposed awareness and training to be effective and efficient.

The report is based upon 3,877 respondents from organisations in 78 countries. The scale of the survey has provided a global picture of economic crime.

The key findings of the report are shown in full, with the remainder of the post focusing on the statistics shown in the report.

Key Findings from the PWC “Cybercrime: protecting against the growing threat” report

Our sixth report paints a dramatic picture of UK organisations still struggling in the face of severe austerity cuts.

Economic crime has risen by 8 percentage points since our 2009 survey, with over half of respondents reporting at least one instance of economic crime in the last 12 months. Even more concerning for Senior executives was the fact that 24% of respondents reported more than ten incidents in the last 12 months.

Our findings suggest that the combination of rising economic crime in the UK, and widespread austerity cuts that limit the resources available to focus on economic crime, has made today’s business environment altogether more difficult and risky.

Cybercrime has become the third most common type of economic crime, whilst levels of ‘conventional’ economic crime have fallen (asset misappropriation has fallen by 8 percentage points since 2009, and accounting fraud by 5 percentage points in the same period). So we think organisations need to take a fresh look at how they deal with fraud.

Cybercrime now regularly attracts the attention of politicians and the media, and should be a concern to business leaders as well. Our survey gave respondents their first direct opportunity to highlight cybercrime as one of the main economic crimes they had experienced, and over a quarter of those who had reported economic crime in the last 12 months did so. The largest number of these were from the financial services sector.

Our survey shows that organisations need to be clear about exactly what cybercrime is, and who is responsible for managing it.

Economic crime perpetrated externally has increased and fraud carried out by employees within the organisation is declining.

Statistics extracted from the report

  • 47% of respondents said the cybercrime threats have increased over the last 12 months
  • 84% of respondents who identified an economic crime had carried out at least one fraud risk assessment in the last 12 months
  • 19% of UK respondents didn’t perform a fraud risk assessment in the last 12 months. This is a much lower figure compared with the global 29% of respondents
  • Over half of UK respondents reported economic crime in the last 12 months, compared with 34% globally
  • 51% of respondents experienced fraud in the last 12 months (UK)
  • 26% of those who experienced an economic crime in the last 12 months reported a cybercrime
  • 48% of respondents felt that responsibility for detecting and preventing cybercrime falls to the Chief Information Officer, the Technology Director or the Chief Security Officer
  • 66% of respondents said they had reported a cybercrime incident to law enforcement, compared with 76% of those who experienced economic crime
  • 54% of respondents representing organisations with offices in more than 20 countries saw an increased risk from cybercrime in the last 12 months. 35% of respondents representing organisations based just in the UK perceived a similar rise

Cybercrime awareness

  • The most effective way to raise cyber security awareness is through face-to-face training. In spite of this, only 24% of UK respondents received this type of training
  • 33% see cyber security as the responsibility of the Chief Executive Officer and the Board, the global figure is 21%
  • One in five respondents said the CEO and the Board only review these risks on an ad hoc basis

Response to cyber crime

  • 16% of UK respondents said their organisation has in place all five of the measures specified in the survey, compared with 12% of global respondents – see the link to the full report below.
  • 83% were concerned about reputational damage
  • 57% of respondents representing UK organisations have a media and public relations plan in place. The global response was 44%
  • 28% of respondents said they didn’t have any access to forensic technology investigators

Profile of the internal fraudster

  • male
  • aged between 31 and 40
  • employed with the organisation for between three and five years
  • educated to high school and not degree level

Top 5 departments perceived to present the biggest cybercrime risk

UK  Global
1. Information technology 52 53
2. Operations 42 39
3. Sales and marketing 36 34
4. Finance 37 32
5. Physical/Information security 22 25

Find the full report here.

.

CIOs Optimistic About Information Security

PwC have released their 2012 Global State of Information Security Survey.

The survey is a worldwide security survey by PwC, CIO Magazine and CSO Magazine. It was conducted online between February 10 and April 18, 2011. Survey respondents were from around the globe and were invited via email to take the survey. The results discussed in this report are based on the responses of more than 9,600 CEOs, CFOs, CISOs, CIOs, CSOs, vice presidents and directors of IT and information security from 138 countries. Twenty-nine percent (29%) of respondents were from North America, 26% from Europe, 21% from South America, 20% from Asia, and 3% from the Middle East and South Africa. The margin of error is less than 1%.

Threats to security, like the weather are hard to predict. Many executives point to the sunshine and clear skies overhead. Others eye the low barometric pressure

The survey produced  17 findings. The findings are summarised below:

A world of front-runners: Respondents categorize their organization

Finding #1 This year, a surprisingly high percentage of respondents consider their organization, in effect, a “front-runner” in information strategy and execution.

Finding #2 These “front-runners” see client requirement as the greatest justification for information security spending—and are passionate about protecting data.

Finding #3 Curiously, “strategists” are far more likely to clamp down on funding for information security than any of the other three groups.

Confidence and progress: A decade of maturation

Finding #4 A clear majority of respondents are confident that their organization’s information security activities are effective.

Finding #5 Companies now have greater insights than they’ve ever had into cyber crimes and other incidents and they’re translating this information into investments specifically focused on three areas: prevention, detection and web-related technologies.

Finding #6 After three years of cutting information security budgets and deferring security related initiatives, respondents are “bullish” about security spending.

Vulnerability and exposure: Capability degradation since 2008

Finding #7 One of the most dangerous cyber threats is an Advanced Persistent Threat attack. Few organizations have the capabilities to prevent this.

Finding #8 After three years of economic volatility and a persistent reluctance to fund the security mission degradation in core security capabilities continues.

Finding #9 Managing the security-related risks associated with partners, vendors and suppliers has always been an issue. It’s getting worse.

Finding #10 That 72% worldwide confidence rating in security practices may seem high but it has declined markedly since 2006.

Windows of improvement: Where the best opportunities lie

Finding #11 What are the greatest obstacles to effective information security? Leaders point to the lack of capital, among other factors—and shine the spotlight hottest at the “top of the house.”

Finding #12 Mobile devices and social media represent a significant new line of risk and defense. New rules are in effect this year for many organizations, though not yet the majority.

Finding #13 Cloud computing is improving security. But many want better enforcement of provider security policies, among other priorities.

Global trends: Asia races ahead while the world’s information security arsenals age

Finding #14 For several years, Asia has been firing up its investments in security. This year’s results reveal just how far the region has advanced its capabilities.

Finding #15 As North American organizations continue their reluctance to fund security’s mission at levels that they have in the past, capabilities continue to degrade.

Finding #16 In the face of economic uncertainty and in spite of a portfolio of security capabilities in decline, Europe pulls the purse strings even tighter.

Finding #17 Like most of the world, South America’s armory of information security defenses is rusting. As the region’s confidence in its security plummets, it thirsts for cash.

What this means for your business Look at the leaders. Learn from what they have done and how they are electing to address the future

Find the full details of the report here.

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: