A new UK government survey, conducted by PwC in association with Infosecurity Europe, has revealed some interesting findings about data breaches with the key takeaway being the fact that the number of breaches has increased year on year.
Reversing the small decrease seen in 2014, this year’s report shows that a whopping 90% of large organisations were breached in the previous 12 months (up from 81% last year). The report clearly highlights that it is not only large companies that need to be concerned though – some 74% of smaller firms were also breached (up from 60% in 2014).
While the actual number of breaches per organisation has dropped from 16 to 14 for larger companies and from 6 to 4 for smaller firms, 59% of respondents expect to see more security incidents next year, something that may be explained by a reported leveling out of security spending.
Even though the cost of breaches continues to soar – large organisations among the 650 responding companies reported average losses of £1.46m to £3.14m and smaller respondents quoted average figures of £75k to £311k – many respondents reported a slowdown in the growth of security budgets.
While expenditure was still expected to increase, by and large, less organisations were expecting to receive beefier budgets than the year before. Respondents from smaller firms were far more pessimistic than those from larger players with only 7% expecting additional funding in 2016.
Given the reported slowdown in security spending, it seems likely that organisations will become increasingly interested in getting the best value from their expenditure and, based upon the views garnered by this survey, that may well be in the area of staff training and awareness.
We’re huge fans of both here at BH Consulting and firm believers in their usefulness to both employees and the business as a whole. It is therefore rather disappointing to note that the survey concludes the human element to be a particular area of concern, as it has been for many years now.
While the surveyed companies reported an increase in staff awareness programs they do not appear to have got their money’s worth from them with many still citing employees as the highest area of risk within their organisation, responsible for the vast majority of breaches and other security incidents.
Three quarters of large organisations said human error caused at least one breach, up from 58% last year, while almost a third of small companies blamed staff for the same, up from 22% in 2014.
While we can probably conclude that businesses are becoming increasingly aware of the dangers of being breached – incidents are making the news more than ever before – they are continually struggling to mitigate the risks, regardless of size.
While budgets and technical controls obviously come into play and affect an organisation’s ability to protect its digital assets, the human aspect still appears to be the area requiring the most work. Staff training and awareness programs are known to be effective but many companies do not appear to have leveraged them to their full potential.