The most severe data breach incidents experienced by large businesses cost those companies at least £1.5 million on average and in some cases more than £3m, the information security breaches survey 2015 found. Almost all businesses experienced at least one data breach incident in the past year, with 90% of large organisations and 74% of small businesses reporting a security breach in the survey.
"This is a real reminder of the true costs of information security beaches, over above the potential for regulatory fines and civil claims, and the administrative costs are set to rise under the General Data Protection Regulation currently being negotiated at EU level," said data protection law expert Lucy Jenkinson of Pinsent Masons, the law firm behind Out-Law.com.
According to the study, there has been a near tripling in the cost to businesses of the worst data breaches they experienced, compared to figures obtained in the information security breaches survey in 2014.
The biggest cost to businesses stemming from a data breach incident relate to business disruption caused by those incidents, the report found, with costs ranging from between £800,000 and £2.1m on average for disruption spanning four to 11 days.
Other costs of data breaches, including from the loss of assets such as intellectual property, lost business and in time and money spent responding to incidents were also highlighted, together with costs associated with the reputational damage experienced by businesses.
"The average cost of the worst single breach suffered by organisations surveyed has gone up sharply for all sizes of business," the information security breaches survey 2015 report said. "For companies employing over 500 people, the ‘starting point’ for breach costs – which includes elements such as business disruption, lost sales, recovery of assets, and fines & compensation - now commences at £1.46 million, up from £600,000 the previous year. The higher-end of the average range also more than doubles and is recorded as now costing £3.14 million (from £1.15 in 2014)."
Half of the worst breaches could be attributed to "inadvertent human error", according to the report. However, larger businesses are also becoming more of a target for cyber attacks, it said.
"Considering all breaches, there was a noticeable 38% year on year increase of unauthorised outsider attacks on large organisations, which included activities such as penetration of networks, denial of service, phishing and identity theft," the report said. "Overall, three-quarters of large organisations suffered from this type of attack in 2015, up from just over half the previous year.
According to the report, only 39% of large organisations and 27% of small companies believe they have insurance that would cover them in the event of a data breach. However, only a minority of those companies have dedicated cyber risk or data breach insurance cover, it said.
"For the organisations who claimed to have coverage, the majority believe that their existing insurance policies would cover their costs in the event of a breach, with a corresponding minority stating that they had purchased a specific cyber insurance policy," the report said. "Of the organisations which have not purchased insurance, 12% were intending to purchase a policy in the next year, 47% felt that it was not a priority and 19% were not even aware of the existence of such coverage."
Forthcoming reforms to EU data protection rules could be "the catalyst to change the cyber liability insurance landscape in the UK", the government said. The General Data Protection Regulation, currently being negotiated, would introduce a new mandatory data breach notification regime for businesses.
The government also highlighted that fewer than a fifth of data breaches (18%) are spotted immediately by organisations, with fewer than half (46%) identified within a day. In 8% of cases it takes companies more than 100 days to spot they have been a victim of a data breach. The report showed that 10% of breaches are uncovered "by accident" and that companies first become aware of the incidents as a result of media reporting in a further 10% of cases.
"The survey reports that only 27% of incidents are detected through routine security monitoring and failure to keep patched contributed to 12% of breaches, as far as respondents were aware," its report said. "It is clear that maintaining patch levels to guarantee enterprise security can no longer be relied upon; whilst important, it should not be the sole method of control, but be one in an array of measures."
Ed Vaizey, UK government minister for the digital economy, said businesses should refer to government guidance on cyber security and seek accreditation for their cyber security practices under the Cyber Essentials scheme.