The ‘2015 Information Security Breaches Survey' was announced at InfoSec Europe in London today and contained some eye-opening statistics on the increasing number of data breaches, the average breach cost as well as other findings on incident detection, response and cyber-insurance.
The headline statistic from the data, which is based on 661 responses across three months from November to March, was that 90 percent of large companies have suffered a data breach over the last year, compared to 81 percent last year. Small medium enterprise (SMEs) were also at risk, with 74 percent reporting breaches compared to 60 percent a year ago.
“Dealing with data breaches is now a fact of life,” said PwC cyber-security consultant Richard Horne, formerly managing director of cyber-security at Barclays.
The report also had bad news in terms of data breach costs, finding that the average breach cost for a large firm is now between £1.46 million and £3.14 million, compared to between £600,000 and £1.15 million in last year's report. The average breach cost varied between £75,000 and £311,000 for SMEs, up from £65,000 to £115,000 in 2014.
The average cost of breaches includes business disruption, lost sales and recovery of assets, according to the PwC report.
But there was positive news too; Giles Smith, standing in for culture and digital economy minister Ed Vaizey at the show, said: “The positive action is that more businesses are using the 10 Steps [to Cyber Security] guide, up from half to a third, while nearly half - 49 percent – have already got Cyber Essentials or plan to do so in the next year.”
“The UK has come a long way over last few years, in the public sector and private sector, and a lot borne out of great partnership work over last few years. There's still work to do, but working together, we can get there.”
Vaizey said in a prepared statement that the government wants the UK "to be one of the safest places to do business in cyber-space".
"As the number and cost of breaches has risen this year, it is encouraging to see the steps some businesses are taking to improve their cyber-security.
"However, there is clearly a lot more Government and industry can do to continue tackling this issue."
In terms of incidents, PwC unsurprisingly concluded that “people are the main vulnerabilities to a secure enterprise”, but interestingly noted that malware – the top threat last year – has now fallen behind insider threats and external attacks (38 percent), a sign perhaps that social engineering and phishing and now more favoured by cyber-criminals.
Staff-related breaches affected three-quarters of large firms, and 31 percent of smaller firms, representing rises from 58 percent and 22 percent compared to a year ago.
Half of the worst incidents were caused by "inadvertent human error", the study found, while deliberate misuse of systems by employees and contractors accounted for 18 percent of the most serious breaches.
But despite these incidents, companies are seemingly having a hard time finding them in the network; the report indicated, somewhat surprisingly, that while 64 percent claimed to have identified incidents within a day a year ago, this had fallen this year to 46 percent. Eight percent took 100 days to identify an incident.
The report also found an increasing use of cloud services, but not necessarily more diligence and contingency plans if something goes wrong, and a dissipating believe that cyber-insurance would cover firms in the event of a breach. There was also a lack of training, and board support.
On the latter, PwC's Andrew Miller said: “We should make it socially unacceptable not to have a user-awareness and training programme. All of this comes from the top however.”
James Chappell, founder and CTO of cyber-intelligence firm Digital Shadows, said that a look at this report and Verizon's DBIR points to data breaches getting worse, and said that CEOs should be looking at this with eyes wide open that incidents cause them to lose money, even if stock remains the same.
“It may not affect share price but it will take money off the bottom line,” he said.
He also warned of lax attitudes to detection: “Once there was a time when people didn't try to detect things, but now I see thinking move away from that point, because if they're definitely going to lose something, they may as well as minimise what they lose.
"What's really interesting is that when they start to look into [the breach], they start to uncover more and once they have this awareness they start to manage this properly.”
He was, nonetheless, surprised by the lack of change in board opt-in. “It used to be an IT manager, but now people in charge of risk are on the board”, he said, adding that the hire-and-fire CISO approach was still prevalent in industry. “I have once witnessed a caretaker CISO in my career.”
Dr Scott McVicar, general manager, commercial solutions, EMEA, BAE Systems Applied Intelligence, said during the show: "In a bid to keep pace with the ever-evolving threat, we're seeing increasing customer demand for sophisticated technologies to protect themselves against cyber-crime – not only from external actors, but also from internal sources, as one of the biggest risks to businesses is the threat of employees accidentally or purposefully leaking data.”
More analysis to follow