PwC says UK Security Breaches Often Not Reported

the-importance-of-getting-the-right-technology-to-protect-your-business-jurga-zilinskiene-today-translations-8-638.jpg?cb=1404367953

 

The majority of UK organisations suffering a security or data breach will never report it to anyone outside the company, the PwC Information Security Breaches Survey covering 2014 has once again suggested.

It’s not a new finding, nor even a surprising one, but the scale of the issue is one of the noteworthy sections of what is now at 15 years and counting the longest-running IT breaches survey in the world.

PwC received 664 responses to feed into its 2015 survey, of which a scandalously low 42 even took on the question covering their reporting policy. Of these, 19 percent had reported security incidents to a government agency (including the ICO), 14 percent the police, 12 percent their ISP, 10 percent Action Fraud. Only 14 percent had owned up in public to the issue with more than one in five not even sure how or to whom a report should be made.
Meanwhile, breaches are up – of course - with 90 percent of large firms and 74 percent of smaller ones reporting an event, up from 81 percent a year ago.  
 “It appears that law enforcement agencies are not being informed of all attacks,” said the report’s authors with under-statement. “This makes it challenging for the agencies to estimate the scale and types of crimes that are being committed and respond accordingly.”

As for keeping the anti-virus firms in the loop, only 2 percent did that although not all incidents will have been connected to a failure of that security layers so this is not as dire as it might sound.
“This year’s survey echoes previous findings that the level of reporting in the UK remains low. Perhaps the fear of reputational damage and potential compensation costs along with the lack of reporting culture in this area means that most organisations are not willingly admitting to information security breaches,” added PwC.

Breaches also cost more than they did in the past, with the average ranging between £1.46 million and £3.14 million for large organisations and a still hefty £75,000 to £311,000 for smaller firms, and just as there are more breaches being detected, more of these are targeted at every level from internal to external or a combination of the two. A percentage of attacks now strike through partners or third parties rather than directly.
“A breach is pretty much inevitable for any organisation in the UK. Dealing with breaches is now a fact of life,” commented Deputy Director for Cyber Security and Resilience within the Department for Business, Innovation and Skills (BIS), Giles Smith, at the report’s Infosec Show launch event in London this week.

PwC lists a long and tedious list of causal factors although a lack of priority given to security was among the most prominent. Even now, in 2015, some organisations fail to take security seriously or, worse, think they are taking it seriously, without actually doing so at a deeper level.

One interesting side-note buried in the report is that the Government’s flagship Cyber-Essentials/Plus scheme seems to be doing well with half of all organisations either accredited or on their way to being so. There could be a phenomenon of self-selection in this (i.e. organisations more likely to complete PwC surveys are also those who take accreditation seriously) but it’s still a result of sorts not much more than a year after its introduction.

A further theme is the difficult balance between buying better security technology and training people to use it.
“Over a third of all cybersecurity investments are used for technical controls, while only a quarter of companies plan to invest in training staff,” noted EMEA managing director for (ISC)2 , Adrian Davis.
“This indicates that businesses are falsely reliant upon security technology instead of investing in vital staff education and training. No matter how strong your technical defences, poorly-trained employees have become a prime gateway for attackers to get in; and the complacency around awareness training is exacerbating the security breach issue.”

PWC ISBS 2014 Executive Summarry: http://ow.ly/OFmva 

Computerworld:  http://bit.ly/1Cfuf70

 

 

« FBI Unable to Monitor ISIS’s Encrypted Communications
Financial Services Firms Stare into the Abyss as Data Breaches Rocket »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Link11 GmbH

Link11 GmbH

Link11 provides DDoS protection solutions to protect websites and complete server infrastructures from DDoS attacks.

Gigamon

Gigamon

Gigamon provides intelligent Traffic Visability solutions that provide unmatched visbility into physical & birtual networks without affecting the performance or stability of production environments.

Gamma

Gamma

Gamma is a leading provider of Unified Communications as a Service (UCaaS) into the UK, Dutch, Spanish and German business markets.

GE Digital

GE Digital

GE Digital is a leading software company for the Industrial Internet. Products include Industrial Cyber Security for Operational Technology (OT).

Cybernetic Global Intelligence (CGI)

Cybernetic Global Intelligence (CGI)

CGI is a global IT Security firm that helps companies protect their data and minimize their vulnerability to cyber threats through a range of services such as Security Audits and Managed Services.

United Biometrics

United Biometrics

United Biometrics is an anonymous and real-time authentication platform designed to stop the fraud for mobile payments, e-Commerce and applications.

APT Search

APT Search

APT Search is a recruitment company specialising within the Legal Technology, Cybersecurity and Privacy sectors.

EMnify

EMnify

EMnify is a Software-as-a-Service (SaaS) company, revolutionizing cellular Internet of Things (IoT).

BluescreenIT (BIT)

BluescreenIT (BIT)

BluescreenIT is an IT Security Consultancy and IT and Cyber Security Training company supporting industry, local authorities, MoD and governmental IT departments.

Eureka Security

Eureka Security

Eureka help organizations securely use any cloud data storage technology they need without having to compromise on security.

Prelude

Prelude

Prelude offer the first autonomous platform built to attack, defend and train critical assets through continuous red-teaming.

GajShield

GajShield

GajShield Infotech provides Data Security Firewall solutions to Corporate’s and Government agencies.

Antigen Security

Antigen Security

Antigen Security is a Digital Forensics, Incident Response and Recovery Engineering firm helping businesses and service providers prepare for, respond to, and recover from cyber threats.

SecurEyes

SecurEyes

SecurEyes is a leading cybersecurity firm that provides specialised services, including cybersecurity assessments, managed services, and governance risk and compliance services.

Red Helix

Red Helix

Red Helix (formerly Phoenix Datacom) is a market leader in network performance and cyber security.

Convergence Networks

Convergence Networks

Convergence Networks is one of North America's leading Managed Services & Security Providers.