Infosec 2013: Flood of breaches show really bad year for small business security
This was the biggest takeaway from this year's Information Security Breaches Survey, commissioned by the Department for Innovation, Business and Skills and released at this year's Infosecurity conference in Earls Court, London.
The survey said 87 per cent of small businesses had a security breach in the last year, significantly up from 76 per cent a year ago. This almost matched the 93 per cent of large organisations that had a breach.
Security breaches reached their highest ever levels compared with previous years of the survey, costing UK companies billions of pounds per year. The costs of these breaches varied widely, with some individual intrusions costing over £1 million.
"Small businesses are really in the crosshairs, much more than they have ever been before," said Andrew Miller, director at PricewaterhouseCoopers, which commissioned the survey.
"The number of attacks they face is up massively. It's a rising trend, and over the last few years the small business communities are in the forefront of a lot of changes."
The survey said attacks by outsiders were increasing, with the average large business suffering an attack every few days. However, the insider threat was still significant, with 36 per cent of the worst breaches due to human error.
Businesses were prioritising security, but this wasn't translating into effective security. The survey said 42 per cent of large organisations were not providing on-going security awareness training for staff. Businesses were even getting basic issues wrong, such as patch management.
Miller added, "The security industry needs to prove to management exactly what value they are getting for the controls they are putting in place."
"We're not quite getting the basics right. There are an awful lot of simple steps which we as organisations aren't doing. There's an awfully long road to go just in doing the simple things, let alone in some of the more complex and interesting areas."