Infosecurity Europe 2015, one of The State of Security’s top 10 conferences in information security, may be over but now is the perfect time for industry professionals to internalize all of the findings shared at the conference. One such piece of research that demands our attention is the 2015 Information Security Breaches Survey.
Commissioned by the HM Government, the 2015 Information Security Breaches Survey was conducted by PwC in association with Infosecurity Europe 2015 and Reed Exhibitions. More than 650 UK corporations across all economic sectors responded to the survey, which proceeded via the use of two online questionnaires and “sticky sessions.”
below are three key takeaways of the study.
Key Finding #1: Breaches Are Increasing In Number, Scale, And Cost
According to the 2015 Information Security Breaches Survey, the number of security breaches has increased in the past year, whereas the scale and cost have nearly doubled.
This trend is highlighted by the fact that 90 percent of large organizations and 71 percent of small businesses that responded to the survey reported a breach this past year. These figures are up from 81 percent and 71 percent, respectively, as compared to last year.
On a positive note, the average number of breaches per year has decreased from 16 incidents for large organizations to 14; for small businesses, breaches have also decreased from six to four since 2014. The survey also indicates that distributed denial of service (DDoS) attacks have dropped across the board.
Even so, 59 percent of respondents expect to see more security incidents this year than they did previously. Additionally, each of these breaches will constitute a greater financial burden for larger organizations, given the rise in a the average cost of a breach from £600,000 – £1.15 million last year to approximately £1.46 million – £3.14 million this year.
Key Finding #2: Infosec Spending Is Expected To Decrease
Another key finding of the 2015 Information Security Breaches Survey reveals that 44 percent of both large and small businesses increased their spending in information security last year, which is down from 53 percent and 27 percent, respectively, in 2014.
Additionally, estimates suggest that this downward trend in increased infosec spending will not change over the next year: 46 percent of large organizations and 7 percent of small businesses expect their information security spending to increase in the next year, which is down from 51 percent and 42 percent, respectively, last year.
Two areas in particular, cyber insurance and threat intelligence, are seeing a decrease in investments from all respondents. Nearly 40 percent of large organizations and 27 percent of small businesses currently have cyber insurance (which is down from 52 percent and 35 percent, respectively, a year ago).
Also, whereas 69 percent of respondents planned to invest or were invested in threat intelligence in 2014, only 63 percent planned to invest this year.
These trends may partially reflect the fact that one-third of large organizations say that responsibility for ensuring data protection is still unclear.
Key Finding #3: The Human Factor Is Still a Relevant Security Liability
The third and final noteworthy finding of the survey reveals that despite efforts to increase awareness among staff members, people are as likely to be the cause of breaches as are viruses and other types of malicious software.
In the past year, the number of UK organizations who have invested in staff awareness programs has increased. For example, 32 percent of respondents follow the HMG “Ten Steps to Cyber Security,” which is up from 26 percent last year. Furthermore, 49 percent of both large and small organizations are now badged or are currently working towards receiving accreditation under the Cyber Essentials or Cyber Essentials Plus programs.
This organization-wide focus towards security is reflected in the fact that 72 percent of large organizations and 63 percent of small businesses now provide ongoing security awareness training, which is up from 68 percent and 54 percent, respectively, in 2014.
Even so, the number of organizations to report a breach due to human error has grown.
Three-fourths of organizations and nearly a third of small businesses cited human error as the cause of at least one breach, which is up from 58 percent and 22 percent , respectively, last year. Half of respondents also revealed that the worst breaches they experienced were caused by inadvertent human error—up from 31 percent in the year previous.
Although it sought out the responses of UK corporations only, the 2015 Information Security Breaches Survey may reflect wider trends that stretch across national boundaries.
Organizations have made significant progress in the past year towards protecting their corporate and their customers’ data. However, given the increase in breaches this past year, it is clear that businesses must continue to seek out and mitigate security risks if they are to meet the ever-evolving online threat landscape.
To read about the additional findings of the 2015 Information Security Breaches Survey, please click here.