PwC says UK Security Breaches Often Not Reported

Uploaded on 2015-06-23 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Consulting

the-importance-of-getting-the-right-technology-to-protect-your-business-jurga-zilinskiene-today-translations-8-638.jpg?cb=1404367953

 

The majority of UK organisations suffering a security or data breach will never report it to anyone outside the company, the PwC Information Security Breaches Survey covering 2014 has once again suggested.

It’s not a new finding, nor even a surprising one, but the scale of the issue is one of the noteworthy sections of what is now at 15 years and counting the longest-running IT breaches survey in the world.

PwC received 664 responses to feed into its 2015 survey, of which a scandalously low 42 even took on the question covering their reporting policy. Of these, 19 percent had reported security incidents to a government agency (including the ICO), 14 percent the police, 12 percent their ISP, 10 percent Action Fraud. Only 14 percent had owned up in public to the issue with more than one in five not even sure how or to whom a report should be made.
Meanwhile, breaches are up – of course - with 90 percent of large firms and 74 percent of smaller ones reporting an event, up from 81 percent a year ago.  
 “It appears that law enforcement agencies are not being informed of all attacks,” said the report’s authors with under-statement. “This makes it challenging for the agencies to estimate the scale and types of crimes that are being committed and respond accordingly.”

As for keeping the anti-virus firms in the loop, only 2 percent did that although not all incidents will have been connected to a failure of that security layers so this is not as dire as it might sound.
“This year’s survey echoes previous findings that the level of reporting in the UK remains low. Perhaps the fear of reputational damage and potential compensation costs along with the lack of reporting culture in this area means that most organisations are not willingly admitting to information security breaches,” added PwC.

Breaches also cost more than they did in the past, with the average ranging between £1.46 million and £3.14 million for large organisations and a still hefty £75,000 to £311,000 for smaller firms, and just as there are more breaches being detected, more of these are targeted at every level from internal to external or a combination of the two. A percentage of attacks now strike through partners or third parties rather than directly.
“A breach is pretty much inevitable for any organisation in the UK. Dealing with breaches is now a fact of life,” commented Deputy Director for Cyber Security and Resilience within the Department for Business, Innovation and Skills (BIS), Giles Smith, at the report’s Infosec Show launch event in London this week.

PwC lists a long and tedious list of causal factors although a lack of priority given to security was among the most prominent. Even now, in 2015, some organisations fail to take security seriously or, worse, think they are taking it seriously, without actually doing so at a deeper level.

One interesting side-note buried in the report is that the Government’s flagship Cyber-Essentials/Plus scheme seems to be doing well with half of all organisations either accredited or on their way to being so. There could be a phenomenon of self-selection in this (i.e. organisations more likely to complete PwC surveys are also those who take accreditation seriously) but it’s still a result of sorts not much more than a year after its introduction.

A further theme is the difficult balance between buying better security technology and training people to use it.
“Over a third of all cybersecurity investments are used for technical controls, while only a quarter of companies plan to invest in training staff,” noted EMEA managing director for (ISC)2 , Adrian Davis.
“This indicates that businesses are falsely reliant upon security technology instead of investing in vital staff education and training. No matter how strong your technical defences, poorly-trained employees have become a prime gateway for attackers to get in; and the complacency around awareness training is exacerbating the security breach issue.”

PWC ISBS 2014 Executive Summarry: http://ow.ly/OFmva 

Computerworld:  http://bit.ly/1Cfuf70

 

 

« FBI Unable to Monitor ISIS’s Encrypted Communications
Financial Services Firms Stare into the Abyss as Data Breaches Rocket »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

SecureAuth

SecureAuth

SecureAuth delivers cutting edge identity and information security solutions for cloud, mobile, web, and VPN systems.

SSH Communications Security

SSH Communications Security

SSH Communications Security is a leading provider of enterprise cybersecurity solutions for controlling trusted access to information systems and data.

Janusnet

Janusnet

Janusnet develops software and solutions for organisations to enforce and manage data security.

Technology Association of Georgia (TAG)

Technology Association of Georgia (TAG)

TAG's mission is to educate, promote, influence and unite Georgia's technology community to stimulate and enhance Georgia's tech-based economy.

Singapore Cybersecurity Consortium

Singapore Cybersecurity Consortium

Singapore Cybersecurity Consortium was created to encourage use-inspired research, training and technology awareness in cybersecurity.

PeCERT

PeCERT

PeCERT is the national Computer Emergency Response Team for Peru.

Tigerscheme

Tigerscheme

Tigerscheme is a certification scheme for information security specialists, backed by University standards and covering a wide range of expertise.

ITU Arab Regional Cyber Security Center (ITU-ARCC)

ITU Arab Regional Cyber Security Center (ITU-ARCC)

ITU-ARCC acts as ITU’s cybersecurity hub in the Arab Region localizing and coordinating cybersecurity initiatives.

Automox

Automox

Remediate vulnerabilities 30X faster than the industry norm – and dramatically reduce your risk with simple, fast, and cloud-native endpoint hardening from Automox.

Ukrainian Academy of Cyber Security (UACS)

Ukrainian Academy of Cyber Security (UACS)

UACS is a professional non-profit public organization established to promote the development of an extensive network and ecosystem of education and training in the field of cyber security.

Enet 1 Group1

Enet 1 Group1

Enet 1 Group audits, assesses, recommends, and delivers tested solutions for the ever-increasing threats to your critical systems and digital assets

Soliton

Soliton

Soliton is a leading Japanese technology company and a pioneer in IT security solutions for protecting company resources and data from external IT security threats.

Vertex Cyber Security

Vertex Cyber Security

Vertex provide Cyber Security Services to small to large businesses including Advise, Consulting, Adding Security Partnership, Penetration Testing, ISO 27001-2 and Audits.

BluTinuity

BluTinuity

BluTinuity is a premier management consulting firm with a passion for information security, business continuity, incident response, disaster recovery, and HIPAA security.

Bell Canada

Bell Canada

Bell is the leading provider of network and communications services for Canadian businesses and the partner for delivering network, IoT, cloud, voice, collaboration and security solutions.

St Fox

St Fox

St. Fox is a leading consultancy helping enterprises secure their Cloud, Data, endpoints, and applications.