The Department for Business Innovation and Skills have recently published their research into Information Security Breaches for 2014, which details the level of threat experienced by businesses during 2013 and the risks associated with having an online presence. Their key findings confirm that businesses must continue to invest in security measures to protect against the ongoing dangers.
The key points from this research are:
1. The volume of Security Breaches has reduced, but the scale and cost to business have almost doubled.
2. Investment in security is increasing across all sectors, impacting IT budgets.
3. Providing Information Security within small businesses has seen a rise in spend.
4. Mobile devices offer flexible ways of working, but for companies inherent risks come with it.
5. Confidence in the availability of security resources has risen.
6. 70% of are not divulging their worst security breaches. Therefore, many are going unreported.
Security incidents have reduced but the potential costs stay the same
Security breaches have slightly decreased for both large and small organisations in the past year but it is still the case that a significant number of companies had experienced incidents. Over 80 percent of large businesses were impacted, along with 60 percent of small organisations.
Large businesses experienced an average of 16 breaches in 2013, with the worst occurrence costing them at least £600,000. Small businesses were affected 6 times on average, with the most serious breach costing them at least £65,000. For both large and small companies, the cost of the worst security breach was higher than had previously been the case. Small businesses in particular were hard hit – their most security issue was almost twice as costly compared to the previous year.
Losses in revenue were another big problem, especially for small businesses. Their average security breach led to losses above £3,500 – more than 10 times greater than the previous year’s figures. The story wasn’t too different for large businesses; their average security incident resulted in losses of at least £8,000 – around 8 times more than in 2013.
The associated disruption cost 5-8 days for large businesses and 7-10 days for small businesses. In both cases, this was at least double the amount of downtime compared to 2013. The financial repercussions of this downtime continued to increase for both large and small businesses. The worst security breach cost upwards of £40,0000 for small businesses and £350,000 for large companies.
The full impact went beyond the financial effects – nearly 10 percent of respondents had been forced to change the nature of their business as a direct result of the worst security breach. System downtime and reputation damage were also potential consequences of a security incident. Damage to reputation was estimated to have cost at least £1,600 for small businesses and £50,000 for large businesses.
Despite the reduced number of incidents, almost 60 percent of respondents confirmed that they still expect to see a rise in security breaches going forwards. This may be at least partly due to the fact that many businesses are battling against both third party and “inside” attacks to their security.
Over half of large businesses were compromised by outside attacks, compared to around a third of small organisations. Staff-related security breaches were less problematic than before but still affected 58 percent of large businesses and 22 percent of small businesses. Across the board, over 30 percent of the biggest security incidents were caused by human error or malicious behaviour by staff members.
New technology is requiring more risk-based decisions
With more businesses looking to embrace new technology, security risks are becoming increasingly versatile. Around 16 percent of large organisations had security breaches relating to social networking usage whereas only 5 percent of small businesses were aware of this type of incident. This difference can be explained by the evidence that fewer small companies are committed to using social networking and are therefore less likely to be impacted by this type of security breach. Those that do recognise the benefits of social networking are often using inferior detection methods in comparison to larger organisations. All businesses must therefore be in a strong position to safeguard against cyber incidents that could occur through mobile devices and social networking.
More businesses are recognising the importance of security – especially small organisations
Security breaches may have lessened but this has not made businesses complacent. Indeed, many more companies are understanding the need to invest in security. Key drivers for this include the need to safeguard customer data, complying with laws and regulations, and preventing downtime.
The ongoing fear that breaches will compromise business is being reflected in the investment in security as part of the overall IT budget. Almost 80 percent of respondents stated that their senior management were placing high importance on security and this is show in their corresponding IT budget. Small businesses placed more significance on this than their larger counterparts, with 15 percent spending at least 25 percent of their IT budget on security compared to just 10 percent of big businesses. The majority of these businesses reported that they expect to spend the same amount on security or to exceed it. This was the case for 94 percent of small businesses and 86 percent of large businesses.
Investment in security is increasing across a wide range of sectors. Unsurprisingly, technology companies are most committed to security, followed by consultancy and professional services companies. Beyond this, there is growing investment across sectors that were previously placing less emphasis on security. This includes media, retail, leisure and entertainment firms. The travel and pharmaceutical sectors are still slow on the uptake with regards to investing in security.
As well as setting more money aside, more businesses than ever are educating their staff about security in light of the potential threats caused by inadequate knowledge. Almost 70 percent of large businesses are now providing security awareness to their staff (up 10 percent from 2013), along with 54 percent of small businesses. This is not the case across the board though – 20 percent of businesses admitted that they had not conducted any type of security risk assessment.
Confidence in the availability of security resources has increased
Less than half of respondents from small businesses believed that security breaches will necessarily increase in the next year, which indicates their confidence in protecting themselves against the risks. Around two-thirds of respondents also had confidence in the availability of security resources to detect the latest threats to their security.
Of those that were less optimistic, it was the consultancy, professional services, health, energy and mining sectors that were most concerned about future security-related problems.
The full report is available here to download.
If you would like to discuss any of these issues and how they may affect your business please call us on: 0845 600 4696