- Security TWENTY
- Women in Security Awards
UK companies are suffering more cyber security incidents than their global counterparts but are falling behind others in detecting them. That is according to the latest Global State of Information Security report by the auditors PwC. Near seven in ten, 69 per cent of companies experienced a security incident in the UK in the past 12 months, compared to 59pc globally.
PwC interviewed 9805 executives from more than 154 countries, including over 475 from the UK, across all industries, in the annual report that looks at the challenges faced by companies in protecting their businesses and their assets from cyber security incidents.
The number of reported security incidents around the world rose 48pc to 42.8million, the equivalent of 117,339 attacks per day in 2013, according to the survey released by PwC with CIO and CSO magazines. More than one in five, 22pc of the UK companies surveyed say they did not detect any security incidents in the past year, compared with 16pc globally and 18pc in Europe. Further, 8pc of UK businesses say they do not know how many security breaches they have had in the last 12 months.
While more than half, 55pc of UK companies say they plan to spend more on security this year, compared with 42pc last year, a further 33pc of companies report their spending will stay the same. The rest either plan to cut back on spend or don’t know what they will do. By contrast, there is more uncertainty overseas about security spending, with 18pc of US companies saying they do not know what they plan to spend in the year ahead.
Leadership is cited by 30pc of respondents as the biggest obstacle to improving the overall effectiveness of the security function. Over a quarter of respondents (29pc) do not think there is a senior executive who proactively communicates the importance of information security, up from last year.
UK respondents say the top three obstacles to improving security are: insufficient capital funding, a lack of leadership from the CEO or board, and the lack of an effective information strategy. On a positive note, 42pc of UK respondents say their boards are engaged with the overall security strategy, compared with 37pc of US interviewees.
Richard Horne, cyber security partner at PwC, said: “A sizeable minority of UK businesses are underestimating the scale of the problem they face. Information security incidents are a fact of life, and a critical element of defence is the ability to detect and respond to incidents quickly before they have an impact on business. The fact that nearly a third of UK businesses either has not detected a security incident or knows that they are in the dark suggests that more attention is needed across the UK economy to protect our businesses.
“The increasing spend on information security is welcome but securing digital assets has to be embedded in the DNA of all organisations. That requires leadership and a clear strategy, which again appears to be missing in nearly a third of businesses. It is encouraging that there is better board-level engagement with security strategy and spending, and that the UK is ahead of the US in that regard, but more needs to be done. Cyber threats continue to evolve and no organisation can stand still. Businesses in all sectors need to prepare and refine their defences – and respond to breaches – against incredibly sophisticated attacks. This is a risk that can be managed, but it requires continual focus, leadership and commitment – not just to prevent breaches but also to detect and respond to incidents rapidly when they happen.”
The impact of security breaches has continued to affect business. Over a quarter of UK respondents say customer and employee records have been compromised; over 22pc have suffered the theft of intellectual property; and 20pc have suffered financial losses. In total, 70pc of UK companies say they experienced some business down time as a result of security incidents this year. Some 59pc experienced up to 24 hours of down time.
Cyber insurance is one area where companies can look to protect themselves from theft or misuse of data. Over half of UK companies have cyber insurance but another 17pc do not know whether they have any cyber insurance policies in place. UK companies have been less proactive at claiming against their policies, with 34pc making claims compared with 48pc globally.
Finally, insiders, particularly current or former employees, are cited as a major source of security incidents by most respondents. Hackers and competitors are cited by fewer respondents as the source of outside security incidents.
Grant Waterfall, cyber security partner at PwC, said: “The results indicate that awareness of cyber security risk in the UK is improving. We’re seeing the benefit of a number of Government and private sector initiatives. Although there is still some way to go, the focus for many organisations must now shift from awareness to action.”
Finally, the survey reports that UK companies have embraced initiatives to address risks from mobile security, following the trend for employees to use smart phones and tablets seamlessly between work and home, but they are still not as good at setting controls as they should be given the increasing trend in ‘bring your own device’ (BYOD). Over 56pc have mobile security strategies – higher than the global figure – but 18pc say they do not have any controls.