Out-Law / Your Daily Need-To-Know

Study reveals impact of security breaches on businesses and failings in detection of incidents

Out-Law News | 02 Oct 2014 | 5:20 pm | 3 min. read

Cyber security incidents cost businesses $2.7 million each on average, up 34% from last year, according to a new study.

PwC's 'Global State of Information Security Survey 2015' report, seen by Out-Law.com, revealed that cyber security incidents cost large businesses – those with revenues of more than $1 billion – $5.9m on average this year. PwC said, though, that there are non-financial costs to businesses that also arise from cyber security breaches.

"Financial impact may include decreased revenues, disruption of business systems, regulatory penalties, and erosion of customers," the report said. "Non-financial impact may include reputational damage, the pirating of products, diversion of research and development information, impacts to innovation, stolen product designs or prototypes, theft of business and manufacturing processes, as well as loss of sensitive information such as M&A plans and corporate strategy."

In the UK, 70% of the 475 respondents to PwC's survey said their organisation had "experienced some business down time as a result of security incidents this year", with 59% of UK respondents stating that the 'down time' lasted for up to a day.

More than half of businesses (51%) also now have a cyber insurance policy, the study also revealed.

"Perhaps more significant is the finding that some companies are leveraging cyber insurance as a way to improve their security program," the PwC report said. "More than a third (36%) say they have taken steps to enhance their security posture in order to lower their insurance premium. Aerospace and defence, automotive, entertainment and media, and financial services companies are most likely to purchase cyber insurance."

PwC surveyed 9,805 senior business managers, including chief executives, chief information officers and directors of IT and security based across the globe. According to its report, there were 42.8 million security incidents detected this year, up 48% from 2013 figures. This equates to an average of 117,339 security incidents being identified each day. The report said, however, that there are many cyber attacks that go undetected by businesses.

"Worryingly, over 22% of the UK companies surveyed say they did not detect any security incidents in the past year, compared with 16% globally and 18% in Europe," a PwC statement issued alongside its new report said. "Further, 8% of UK businesses say they do not know how many security breaches they have had in the last 12 months."

According to the report, large companies on average spot the most security incidents. This is because they have "more mature security processes and technologies in place". However, small companies detected fewer security breaches on average this year compared to 2013, the report said, indicating that those businesses may be "investing less in information security", leaving them "both incapable of detecting incidents and a more tempting target to cyber adversaries".

Despite the general increase in the number of detected security incidents, though, the survey revealed that global information security budgets fell by an average of 4% this year in comparison to 2013 levels. However, expenditure on IT security varies depending on the size of the organisation, the PwC report said.

"This year, companies with revenues less than $100 million say they reduced security investments by 20% over 2013, while medium and large companies report a 5% increase in security spending," the report said.

According to the survey, current or former employees are the most commonly cited sources of security incidents stemming from inside organisations. Hackers and competitors were jointly identified as the primary source of security incidents identified as coming from outside of organisations.

The report also found, though, that an increasing number of cyber security incidents identified by businesses could be traced back "current and former service providers, consultants, and contractors". Most respondents (59%) also said they were concerned about government surveillance, which PwC said was fanned by revelations in the media about surveillance measures used by UK and US intelligence agencies.

PwC's 'Global State of Information Security Survey 2015' report revealed that the board of directors at most organisations is not actively involved in setting the company's "overall security strategy". Just over a third of boards are involved in setting security policies, and just a quarter are involved in reviewing current security and privacy threats facing their business, the report said.

However, the study revealed that most businesses are now collaborating with others to improve their systems security. The majority of respondents (54%) also said their organisation has a mobile security strategy in place, which represents a rise of 12 percentage points from 2013 figures, PwC said.