UK 2015 information security breaches survey

The UK 2015 information security breaches survey has just been published, showing as anticipated that just about every aspect of security breaches is on the increase. A staggering 90% of large organisations surveyed admitted to having experienced at least one breach within the last year, up 9% from the previous year. Similarly small business breaches increased, with 74% reporting a breach, up from 60%. The average number of breaches for a large business was 14 while for small businesses it was 4.

Another significant increase was in the cost of these breaches. Measuring the worst breach they experienced in the year, large businesses reported a cost of breach between 1.46 and 3.14 million while small businesses put it at between 75k and 311k. These are far higher than last year, where the top brackets ended at 1.15 million and 115k respectively.

The types of external attack have also seen some changes, with DOS attacks actually dropping from 38% of large organisations to 30%. Malicious software on the other hand has increased, with three quarters of large businesses and three fifths of small businesses being affected.

A particularly noteworthy fact is that 50% of all businesses attributed their worst security breach to human error, this is up a sizeable 31% from last year and serves as a strong reminder that employees are still the greatest security risk. As we’ve seen in other recent breach reports such as Imperva’s, it has never been clearer that training staff is a justified investment. Fortunately, businesses seem to be catching on. Of the large organisations, 72% said they provided ongoing security training for their staff, up from 68% last year. For small businesses this also rose, from 54% to 63%. As social engineering techniques are becoming a more common way to access an organisation and infect them with malicious software, the evidence continues to support increased education of staff.

What oddly seems to have decreased is overall spending on security among the bigger companies, with just 46% of large business respondents expecting their security budget to increase in the next year, surprising considering the number of high profile breaches having occurred in the last 12 months. Oddly, insurance spending for security breaches has also decreased, just 39% of large businesses have relevant insurance, down from 52% last year. Small businesses on the other hand expect their security spending to rise significantly, 44% expect an increase, up from 17% in last year’s report.

Unfortunately, besides the statistics regarding DOS attacks and malicious software there is little information about precisely what kind of external attacks took place, the report focuses more on overall trends, behaviours and spending. While there was a noted 38% increase in ‘unauthorised outsider attacks’, we only have figures relating to DOS attacks and malicious software, unfortunately no further details about other types of attack.

Looking at threat actors, businesses reported that 36% of breaches were caused by malicious external third parties, including organised criminals, malware authors, activists and ‘non-professional hackers’. The report authors point out that perhaps more attention ought to be given to such figures and the level of spending duly divided between addressing the different causes of the breaches (i.e a large portion should go on staff training and a similar amount on security measures to mitigate the threat from external attackers)

Overall, the take away points from this report are that attacks are on the increase, costs of breaches are soaring and that half of the most serious data breaches are caused by human error. Cyber security continues to be a consideration which businesses ignore at their peril.