PwC sounds alarm over spiralling cost of security breaches

Series of locks on binary code with one unlocked

The economic cost associated with suffering a significant security breach has nearly doubled over the past year, according to a report by professional services firm PwC.

This year's version of its annual Information Security Breaches Survey suggests the number of breaches affecting UK business has fallen over the last 12 months.

The survey, which was commissioned by the Department for Business, Innovation and Skills (BIS) and carried out on its behalf by PwC, showed 81 per cent of large firms have suffered a security breach in the past year. This was down from 86 per cent in the 2013 report.

We pride ourselves in having a particularly large and growing online economy, with the internet accounting for eight per cent of our GDP, so it is important we maintain people's confidence in doing business online.

Meanwhile, the number of smaller companies who experienced a breach was four per cent lower than last year at 60 per cent.

However, the financial cost of these breaches is nearly double what it was a year ago, and the severity of them has increased.

Out of those that suffered a breach, PwC discovered that 10 per cent were forced to alter the nature of their business as a result.

The report states the worst type of breaches companies suffer tend to be a virus, a confidential data loss or an outsider attack.

For small firms, this kind of attack can cost them between 65,000 to 115,000 to put right, while the cost for larger firms is reportedly between 600,000 and 1.15 million.

Discussing the results at Infosecurity Europe in London earlier today, Chris Potter, a partner at PwC, said many of the affected organisations had security measures in place to protect them, but breaches still occurred.

"What we've seen - with the rise [in breach costs] between 2013 and 2014 - is that many of these worst breaches were for organisations who had all the anti-virus, they had it all up to date, and the technology did not protect them from the attack," he said.

Speaking at the event Universities and Science Minister David Willetts said he was heartened by the downturn in the number of breaches, but concerned about the wider economic implications of their increasing cost.

"We, of course, in the UK government take [data breaches] very seriously, and we take it very seriously for lots reasons," he told attendees.

"We pride ourselves in having a particularly large and growing online economy, with the internet accounting for eight per cent of our GDP, so it is important we maintain people's confidence in doing business online."

Andrew Miller, cyber security director at PwC, said the results highlight why cyber security needs to become a boardroom discussion.

"Given the dynamic nature of the risk, boards need to be reviewing threats and vulnerabilities on a regular basis," Miller advised.

"As the average cost of an organisation's worst breach has increased this year, businesses must make sure the way they are spending their money in the control of cyber threats is effective.

"Organisations also need to develop the skills and capability to understand how the risk could impact their organisation and what strategic response is required," he added.

Garry Sidaway, global director of security strategy of NTT Com Security, said the results show more work needs to be done to prepare businesses for the threat of security breaches.

"Whilst businesses are visibly more aware of the security risks and the financial burden resulting from a security breach, organisations need to fully grasp the sophistication of the threats at hand, and prioritise efforts and projects that meet their business goals," said Sidaway.

"By aligning their enterprise security architecture to their Governance, Risk and Compliance approach, they can select enabling technologies to drive Security Operations. This approach will reduce the impact of threats and ensures that businesses remain efficient and agile."

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.