93% of large organisations had a security breach last year

Filed Under: Featured, Security threats

Image of London financial district courtesy of ShutterstockA new survey commissioned by the UK Government's Department for Business, Innovation and Skills (BIS) has revealed the scale of cyber attacks on UK companies.

The 2013 Information Security Breaches Survey, which collected data from 1,402 respondents, presented results for large organisations (in excess of 250 employees) and small firms (less than 50 members of staff).

One of the key findings of the report was the level of attacks sustained by businesses - with breaches reaching record levels. The survey discovered that 93% of large organisations experienced a security breach last year, a figure that is broadly in line with 2012 reports. Smaller businesses, however, saw a marked increase in the number of attacks levied against them. Some 87% of smaller firms reported experiencing a data breach last year, which is up significantly from 76% the previous year.

An average of 113 security breaches

The number of security breaches within each of the affected companies also showed a sharp increase too. Larger companies experienced an average of 113 breaches and smaller firms reported 17 such incidents, an increase across the board of almost 50% year on year.

It's not only the number of breaches that have increased amongst survey respondents though – the financial impact has also risen. The survey concluded that the worst security breaches were costing large companies an average of £450,000 - £850,000 each. Smaller businesses typically experienced losses of between £35,000 - £65,000.

The survey determined that the attacks faced by businesses over the last year came from both outside and inside the organisation.

A whopping 78% of large organisations reported attacks from outsiders over the last year with 39% of those incidents being denial of service attacks. Smaller companies fared slightly better in both regards with 63% reporting outside attacks. The number of smaller firms which experienced a DoS attack was 23%.

The survey respondents did not just experience random attacks though - 14% percent of larger businesses reported the theft of confidential data or intellectual property by external attackers, while 9% of smaller firms experienced such losses too.

36% of the worst breaches down to human error

Insider threats also pose a risk to organisations though. The survey found that technology, people and processes were to blame in several cases. Of the worst security breaches during the year, 36% were attributed to human error. Alarmingly, an additional 10% of the reported security breaches were pinned on staff and their misuse of systems.

On a more positive note the survey discovered that attitudes towards information security are generally good and continually improving too.

The survey found that 76% of larger organisations believe that senior management place a high level of priority on information security. Interestingly, smaller firms were better, with 83% placing a strong emphasis on security.

It should be noted that while the vast majority of larger companies now have a written security policy in place, most respondents indicated that staff understanding of the policy is still relatively poor, in turn leading to twice the number of internal security breaches than in organisations where employees had a good understanding of the policy.

Another contributory factor with regards to internal breaches could be a lack of staff training. Survey respondents indicated that many large organisations only prioritised training after a breach. At the time of induction 10% of new staff were given no security training whatsoever and 42% of large firms failed to employ any kind of ongoing training in terms of security awareness.

Given the level of security incidents experienced by firms of all sizes it is not surprising to learn that many of those surveyed expected security spending to either stay the same in the coming year or to increase.

Larger organisations expect to spend more next year in customer data protection and compliance, but just how much a business spends on security seems to be highly dependent upon the outlook of senior members of the management team.

The survey ends by saying that the majority of firms believe that the number of breaches next year is likely to be higher.  As per this year, attacks are expected in every industry though the public sector and financial services showed more concern than other sectors.

Dealing with security breaches

Respondents' replies would suggest that the best course of action in dealing with security breaches, which will likely affect most companies this year, is to have a strong set of contingency plans in place. It would also be advisable to have an incident handling plan in place before a breach takes place rather than afterwards.

Likewise, training people in security best practices from day one is a sound investment. Good quality training is likely to minimise the risk of being the next company facing a PR challenge following a high profile security incident.

After all, bad publicity can have a very negative influence upon consumer trust in a business, a fact that has been borne out by another recent survey undertaken by Populus. That survey suggests that around one quarter of UK residents have had their online accounts hacked with a significant number of victims saying they would cease to do business with any entity that had been breached.

If you'd like to know more about the kind of threats we think your business will face in the coming year then download our freshly minted Security Threat Report 2014.

Image of London's financial district courtesy of Shutterstock.


, , , ,

You might like

4 Responses to 93% of large organisations had a security breach last year

  1. LonerVamp · 281 days ago

    As usual, the problem with statistics like this is being clear what "security incident" means to both the respondents and the survey itself. I see that accidental, staff-related incidents counted, including web misuse or email misuse.

    Get a large enough organization (i.e. a large enough sample size) and you probably can always say some sort of "security incident" occurred at some point in the last year, even if it's just one web filter alarm when someone tried to browse gmail on their second day of work.

  2. Jim · 281 days ago

    I view this web page and many others daily for possible threats that I can guard against in my large org. But after today that your researchers decided to use what I think is a very inaccurate estimate of 93% without any real proof or very small sampling I will discontinue using this website any further. I don't care to hear your justification of why but next time I would not report such inaccurate numbers just to spike the IT community to do better. We are under extreme pressure to protect our orgs and don't need you to be cattle proding us. If your are going to be my trusted source you need to not use such inaccurate data.

    • Jim · 280 days ago

      I did not think you would allow my comments!

    • Paul Ducklin · 279 days ago

      Because you don't wish to hear an explanation I shan't bother to offer one.

      It would be interesting, however, to hear from *you* why this data can be dismissed as "such inaccurate numbers" when (unless I have misread the whole thing) it is merely reporting what a reasonably large sample of people in your sector said when asked.

      It may not be the case that 93% of orgs have had breaches, but it seems that 93% of a biggish sample seem to be fessing up that they have :-)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Lee Munson is the founder of Security FAQs, a social media manager with BH Consulting and a blogger with a huge passion for information security.