Piecemeal, ill-conceived and outdated IT and data security strategies are leaving businesses open to attack and almost half of large organisations admit they are failing to comply with data protection (DP) legislation. These were among the headline findings of the biennial government-sponsored Information security breaches survey report from PwC and the Department of Business, Innovation and Science, released at the Infosecurity Europe conference in London late last month.
The survey is the most comprehensive of its kind, based on detailed responses from 450 organisations in the UK of differing sizes and across all sectors. Since the last one was published in 2010, the number of reported security breaches has almost doubled, with 93 per cent of large organisations and 76 per cent of small businesses admitting they have been hit in the past year.
Chris Potter, information security partner at PwC and co-author of the report, said the cost to UK business runs into billions of pounds. “It’s always hard to estimate the precise sums involved, but on average, large organisations say their worst breach last year cost them between £110,000 and £250,000,” he said.
The largest portion of this is due to the effect on business of system downtime, although this has fallen slightly as a proportion since the last survey. “There is also a significant and growing cost associated with fixing the problem and dealing with any aftermath,” said Potter.
Particularly worrying, he thinks, is the fact that 12 per cent of organisations said their intellectual property (IP) had been stolen. “Detecting IP theft is very difficult, so if 12 per cent are reporting it, then that’s probably just the tip of the iceberg,” he told Computing.
Launching the survey at Infosecurity, Minister of State for Universities and Science David Willetts said: “I deal with many businesses whose real value is their IP, so I’m shocked by the number that don’t recognise the importance of protecting that IP.”
While admitting that “there is no such thing as perfect security”, Willetts had some advice for IT strategists: “Businesses need to know which information assets are most valuable in terms of their business processes, shareholder value or company reputation. They need to ask whether they’re managing that risk effectively, making informed judgments and investing at the appropriate level, including addressing issues such as staff awareness and training.”
On average, companies spend eight per cent of their IT budget on information security, but although this represents a significant amount of money, PwC’s Potter noted most organisations fail to assess the effectiveness of their expenditure.
“Only 20 per cent evaluate the return on investment of their security spending. That’s a very low figure, suggesting most organisations are at risk of treating security as an overhead rather than an investment,” he said. “And in today’s environment overheads are bound to be squeezed.”
Worryingly, almost half (45 per cent) of large organisations admitted they had breached data protection laws in the past year, with one in 10 of these saying this happened daily. And while the number of small businesses admitting to DP infringements was, at 11 per cent, a lot lower, elsewhere in the survey one in five smaller businesses conceded they had lost confidential data in the past year. Some 80 per cent said these breaches were “serious”.
These findings were compounded on the second day of the conference, when keynote speaker Christopher Graham, the UK’s Information Commissioner, released the results of an investigation by his Office (the ICO) into the trade in used hard drives.
In December 2010, the ICO asked computer forensics company NCC Group to source and analyse around 200 hard drives from the second-hand market. Of these, 48 per cent contained readable information, 11 per cent of it personal data.