IT Security Breaches Strike 93% of Large UK Companies

Almost all large companies in the UK suffered IT security breaches in 2013, as the number of cyber attacks reaches record-breaking new levels.

A survey commissioned by the government's Department for Business, Innovations and Skills (BIS) found that 93% of large businesses (in excess of 250 employees) suffered security breaches during the last year; 87% of smaller businesses (less than 50 employees) suffered a similar fate.

Conducted by PricewaterhouseCoopers, the survey collected data from 1,402 respondents and found that larger companies experienced an average of 113 breaches during the year, while smaller firms each endured an average of 17 incidents.

It was found the worst attacks on large businesses cost them between £450,000 and £850,000 per attack; small businesses suffered losses of between £35,000 and £65,000 per incident.

PwC said: "Overall, the survey results show that companies are struggling to keep up with security threats, and so find it hard to take the right actions. The right tone from the top is vital where senior management are briefed frequently on the potential security risks, security defences tend to be stronger."

More than three-quarters (78%) of attacks on large companies came from outside the company's computer network, and 39% of these were distributed denial of service (DDoS) attacks, where an IT network or website is bombarded with traffic until it is knocked offline.

Smaller companies fared slightly better, with 63% of breaches coming from outsiders and 23% of these involved DDoS attacks.

Human error

However, more than a third (36%) of the worst security breaches for both large and small companies were caused by inadvertent human error, a situation reflected by the survey finding 42% of large corporations do not provide any ongoing security awareness training to their staff.

A further 10% of breaches were blamed on deliberate misuse of computer systems by staff.

A quarter of respondents said their board of managers has not been briefed on the company's security risks in the last year, and 19% claim they have never done so; a third of large companies say responsibilities for ensuring data is protected are unclear.

Of the companies where security policy is poorly understand, 93% claimed to have experienced staff-related security breaches, compared to 47% where the policy was well understood.

But as the threat of cyber attacks and IT security breaches increases, so does the spending on preventative measures. The report said: "Respondents now spend 10% of their IT budget on security on average; this is up from 8% in 2012 and is the highest level ever recorded in this survey...92% of the respondents are expected to spend at least the same on security next year and 47% expect to spend more."