Do you think that data breaches and other security incidents are a peril that only befall the largest of organisations?
If so, think again.
New research from Kaspersky Lab, in collaboration with B2B International, reveals how 94% of all the businesses within the survey have suffered from at least one security incident in the last year, a rise of 3% over the previous period.
With a total of 3,900 responses from companies of all sizes across 27 countries the report concluded that spam represented the largest external threat to companies, having been identified by 64% of those questioned. By way of comparison, last year the biggest threat was named as viruses, worms, Trojans and other types of malware.
Of the companies that experienced a security incident some 12% said that the attacks were targeted, a significant rise from the 2012 and 2013 reports which discovered that such attacks only affected nine percent of companies.
Given the proliferation of data breaches recently it is good to see that thirty-eight percent of the companies surveyed said that protecting confidential data was their top priority, though I would still like to see that figure increase in the future.
When things go wrong and data is compromised companies tend to lose their own data most often with 43% of the respondents saying that internal operations data was compromised and 22% reporting that financial data was lost. Client data was lost during thirty-one percent of security incidents.
Encouragingly, the survey respondents indicated that of all the types of data that could be lost, customer data was the type that concerned them the most (22%). Not so encouragingly, only 7% of companies thought that the loss of payment information was a worst case scenario.
Whatever the end result of a security incident, the costs were significant. Just one incident was found to do up to $2.54 million (£1.58 million) of damage and the average cost of a security snafu was damaging to the tune of $720,000 (£447,000) according to the report. Looking specifically at smaller business, the report concluded the average cost of an incident to be $42,000 (£26,000). Interestingly, the figures reported by UK businesses show how British firms have it tougher than other countries with average incident costs running between 67% and 130% higher. Only Brazilian firms recorded a higher average cost per incident within the enterprise.
While the report shows some encouraging signs in the way that businesses of all sizes are recognising the threats posed by security incidents in general, and targeted attacks specifically, there is still a long way to go in terms of raising awareness as Chris Doggett, managing director of Kaspersky Lab, North America, explained:
“The survey results clearly indicate that many businesses now recognise that the threat of a targeted attack is very real and could be very harmful for their organisation. However, we are seeing that the number of companies that are actually taking that knowledge and turning it into an action to protect their organisation from such attacks is still alarmingly low.
If people want to break into your organisation, they will. Rewards are so much higher and the risk is so much lower than physical attacks that organised crime has gotten into it. But the attacks are difficult to protect against because they defy traditional security measures such as firewalls. Criminals can be so covert that they can stay on your system for years without being detected.”
As I wrote on Monday, far too many businesses are investing all their eggs in the firewall and anti-malware basket and nowhere near enough are hatching in the cradle of awareness training which is so vital in terms of educating staff to look out for and avoid some of the more obvious and damaging attacks that a business can face. And, if any more proof was needed that staff need help in understanding security risks, another Kaspersky Lab report released today shows that 1 in 8 users don’t believe that security threats are even real (it’s a conspiracy?) and 32% are not even aware that their online accounts are at risk (think what that may mean within the context of your organisation).