A report released this week at Infosecurity Europe by PricewaterhouseCoopers (PwC) has claimed that a wave of security breaches is hitting UK organisations, costing them billions of pounds.

The 2010 Information Security Breaches Survey (ISBS) claimed that this is a continuing problem, despite the fact that security remains high on management's agenda and the recession has not dampened spending on security.

The survey found that larger organisations are being bombarded with attacks, with 62 per cent infected by a virus or malicious software in the last year, compared with 21 per cent in 2008. Sixty-one per cent had detected a significant attempt to break into their network, almost double the amount from 2008.

Among large organisations 46 per cent said they had had staff lose or leak confidential data, while 45 per cent of confidentiality breaches were very or extremely serious. Most respondents were pessimistic about the future, with 56 per cent of large organisations and 43 per cent of smaller ones, expecting more incidents next year, back to levels last recorded in 2006.

Chris Potter, partner of OneSecurity at PwC, said: “Almost half the organisations we polled told us they had increased their expenditure on information security in the last year and roughly the same number said they expected to spend more on it next year.

“At the same time most organisations assess information security risks now, compared to just 48 per cent who did so in 2008. So organisations are getting better at understanding security risks in a changing business environment where a large majority of them are relying increasingly on external services hosted over the internet.

“However, this focus is not translating into fewer breaches of security; in fact the number has risen to well over double what it was two years ago and has reached record levels for all sizes of organisation. All types of breach were on the increase and a conservative estimate is that the total cost of breaches to UK business in billions of pounds is now well into double figures.”

Commenting, John Colley, managing director EMEA at (ISC)2, said: “The spectacular reversal of fortunes reported in the survey proves that more security controls do not necessarily add up to more control. Despite the fact that more companies are placing a high priority on security, establishing formal security policy, and even investing in more controls, the opportunities to exploit are multiplying. 
 
“Clearly the opportunists are being strategic; more of the same is required of their victims. With 44 per cent of companies entrusting critical services to third parties, and only 17 per cent encrypting the sensitive data held with third parties, companies are making some basic errors. Similarly, the rapid adoption of new technologies, such as VoIP and virtualisation, continues to lag the adoption of effective controls for them.
 
“Many of the vulnerabilities—such as social networking behaviour –do not have a technical response so throwing more or new technology at this problem rather than common sense is not the answer.  This report confirms that the pressures driving demand for information security services today speak to core business priorities that demand professional assessment. Only then will we see the strategic enterprise-level response to the risks that is required.”

Neil Stephenson, CEO of Onyx Group, said: “This is a staggering rise in cyber crimes over a two year period. Reports of viruses affecting business will ring true for companies of all sizes, highlighting the need for an extensive and secure data recovery and back up protocols in the event of a serious cyber attack.

“Businesses may understand how critical their data is but they need to ensure they secure this data appropriately, and put in place mechanisms to reduce the detrimental affects a security breach can cause to business operation and, ultimately bottom line. As businesses continue to rely on external organisations to host and manage their data, they need to ensure they are aware of the security risks and implement the appropriate mechanisms to prevent security hacks to their IT systems.”