8 in 10 small UK firms hacked last year - at £65k a pop: Report
Poor security practices blamed, according to gov survey
Posted in Management, 23rd April 2013 10:13 GMT
Free whitepaper – Hands on with Hyper-V 3.0 and virtual machine movement
Infosec 2013 Over 80 per cent of small businesses in the UK suffered a computer security breach last year, according to new government research. And the proportion of large firms that reported attacks has reached a whopping 93 per cent.
The Department for Business, Innovation and Skills' 2013 hacking survey found that 87 per cent of small businesses across all sectors had experienced a breach in the last year. This is up more than 10 percentage points on the previous year's figures. The department is hoping its "Innovation Vouchers" incentive scheme will allow these businesses to protect their assets from the costly attacks.
The department's Technology Strategy Board is extending its Innovation Vouchers scheme to allow SMEs to bid for up to £5,000 from a £500,000 pot to improve their cyber security using external expertise. BIS is also publishing guidance to help small businesses give cybersecurity a higher profile in their businesses.
The average attack caused a Blighty SMB between £35,000 and £65,000 worth of damage - while large firms breaches set them back by an average of £450,000 to £850,000, although several individual breaches cost more than £1m.
Minister for Universities and Science David Willetts said: “Keeping electronic information safe and secure is vital to a business’s bottom line. Companies are more at risk than ever of having their cyber security compromised, in particular small businesses, and no sector is immune from attack. But there are simple steps that can be taken to prevent the majority of incidents.
“The package of support we are announcing today will help small businesses protect valuable assets like financial information, websites, equipment, software and intellectual property, driving growth and keeping UK businesses ahead in the global race.”
The survey, out Tuesday, also revealed that 93 per cent of large organisations (those which employ more than 250 workers) had reported breaches in the past year. The median number of breaches suffered was 113 for a large organisation (up from 71 a year ago) and 17 for a small business (up from 11 a year ago).
Both figures suggest that companies which report hacker attacks are doing so more often. Over three in four (78 per cent) large organisations that responded said they'd been attacked by an unauthorised outsider (up from 73 per cent a year ago) and 63 per cent of small businesses said the same (up from 41 per cent a year ago).
Twelve per cent of respondents said the worst security breaches were partly caused by senior management giving insufficient priority to security.
According to the survey, 36 per cent of the "worst security breaches" were caused by inadvertent human error.
Andrew Miller, PwC information security director, said: “Spending on cyber control as a percentage of an organisation’s IT budget is up this year from an average of 8 per cent to 10 per cent, but the number of breaches and their impact is also up as well so it is clear that there is work to be done in measuring the effectiveness of the security spend."
Mike Cherry, national policy chairman of the Federation of Small Businesses, welcomed the government's push to improve security at UK SMEs.
“Cybersecurity is an increasing risk for small and micro businesses and more and more, a barrier to growth. The FSB is very pleased to see the government announce a package of measures including specific guidance for small firms, helping them take steps towards more effective cybersecurity."
According to Government Communications Headquarters, four in five (80 per cent or more) of currently successful attacks can be prevented by simple best practice, such as ensuring staff do not open suspicious-looking emails or ensuring sensitive data is encrypted.
The 2013 Information Security Breaches Survey (ISBS) was funded by BIS and carried out by PwC in conjunction with the Infosecurity Europe trade show. ®
Free whitepaper – Hands on with Hyper-V 3.0 and virtual machine movement
COMMENTS
Highly Rated
I expect more from the Register than this
Please, I expect the Register to at least take this sort of rubbish with a large pinch of salt. One of your commenters digs deeper into the reasons for these ridiculous numbers yet your writer seems to have just taken them at face value. Classic case of "Lies, damned lies, and statistics"
"...successful attacks can be prevented by simple best practice, such as ensuring staff do not open suspicious-looking emails..."
Well no company ever answers my emails so I think the policy is already in place. Or do I just need to mention "free money" or "cat pictures" in the subject line?
It depends what you count as security breaches...
Having read through a good deal of the report it seems that the main reason that the figures are so high is what is categorised as a "security breach". As well as the sort of stuff you would expect (websites attacked by SQL injection, competitors getting private data by some means) you find that "confidential data e-mailed to a personal account" counts too... ok, perhaps. Then computers inside the organisation encountering a virus, even if immediately dealt with by anti-virus software (um, perhaps... but is this really a breach?), laptops being stolen (ok - um, but a security breach?), disc drive failures (er, hang on here - drive failures are now a security breach?) and the icing on the cake - data corruption caused by software bugs (WT-actual-F?)
Re: Come clean on funny money
In many cases the "clean up" cost probably includes doing all that security work you should have been doing all along.
Checking active accounts against your employee database, patching those pesky web servers etc.
And also creating (or acquiring) some security processes that are to be followed from then on.
Nothing like closing the stable door and then saying it cost £65,000 to do it.
Come clean on funny money
> The average attack caused a Blighty SMB between £35,000 and £65,000 worth of damage
Now, we all know that doesn't mean that the SMBs in question had to get thirty five grand of cash out of their respective wads and spend that money on goods or services outside the company.
No. All it means is they got some of their staff to do a few hours of work at some notional internal cross-charge hourly rate and a whole lot more managers to spend time in meetings, each at a vastly higher notional hourly rate. Now some of those people might, just, have got a bit of overtime or a meal allowance - but in most cases (of personal experience) they were just told to stop what they were working on: projects, facebook updates, chatting to colleagues, long lunches, going home on time - and to sort out whatever breach had been detected.
The reason that large company's breaches cost more was in large part because they had more staff that they could apply to the problem. Work expands to fill the number of departments that can charge for their time.
What would be interesting to know, but will never ever be revealed, is how much actual cash flowed out of a company for each problem that they had to fix. I would suspect that in most cases the real monetary cost was very small indeed.
The new Office Garage series:
