Businesses should focus on information security basics to stem the tide of cyber-attacks, according to the authors of a new study.
The Information Security Breaches Survey, commissioned by the Department for Business, Innovation and Skills (BIS) and launched today at the Infosecurity Europe conference in London, revealed that the number of security breaches at UK businesses is at its highest level ever.
But representatives of PwC, which produced the report, say that many businesses are not getting the basics right when it comes to protecting their systems from attack.
The report found that 42 per cent of large organisations don’t provide any ongoing security awareness training to staff and 10 per cent don’t even brief staff on induction
And while virus infection rates have plateaued as businesses recognise the importance of anti-virus software, many of the infections that do occur are due to failures to apply the latest patches to defences allowing older viruses that should be easy to avoid, such as Conficker, through.
“We are not quite getting the basics right. There are an awful lot off very simple steps which we as an industry and for our organisations just aren’t doing,” said Andrew Webber, information security director at PwC, speaking at the official launch of the survey at Earls Court.
“Organisations that train staff well and had security policies staff were well aware of literally cut their internal user breaches in half. I think that’s a very impactful, very significant easy win for organisations.”
Last year BIS issued a 10-step guide for businesses on how to protect themselves from cyber-attacks but the survey found only 30 per cent of large organisations had used the guidance and that implementation was patchy especially in small businesses.
And with 87 per cent of small businesses recording security breaches in the last year – up from 76 per cent last year – this is a serious concern.
“I think it’s fair to say small businesses are really in the cross hairs here, much more than ever before. The number of attacks is up, the impact to their organisations is up massively and it’s only a rising trend,” said Webber.
And while the number of breaches for larger organisations has largely plateaued at 93 per cent the study found that the cost of breaches has quadrupled for large businesses and doubled for small businesses and they are taking weeks rather than days to resolve.
“What we’re seeing is that more breaches have a bigger impact and the cost of cleaning them up is rising,” said Webber
“Incidents themselves are costing significantly more for organisations, not just the clean-up, but also the impact on their brands, disruption to their business and cost to fix.”
The more positive news was that businesses are waking up to the problem with budgets up across the board, and 81 per cent of respondents reporting that senior management place a high priority on security.
But there was concern among respondents that efforts are not necessarily being converted results, with lack of understanding and a skills shortage largely to blame.
Speaking via a pre-recorded video Universities and Science Minister David Willetts said: “This really is quite a challenge. We would hope of course that it can be tackled by high level corporate intervention and four-fifths of respondents to the survey believe there boards give high or very high priority to security.
“However when you drill down you find that 23 per cent of respondents carry out any security assessment and 26 per cent of respondents haven’t briefed there board on security risks in the last year.”
In a separate announcement at Infosecurity earlier today, Chloe Smith, Minister for Political and Constitutional Reform, revealed that the Government faces around 33,000 cyber attacks each month from sophisticated criminals and state-sponsored groups.
"On average over 33,000 malicious emails are blocked at the gateway to the Government's secure intranet every month," Ms Smith said.
"These are likely to contain or link to sophisticated malware often sent by highly capable cyber criminals or state-sponsored groups. A far greater number of less sophisticated emails and spam are also blocked each month and this is just how popular Government is."
She detailed the threat to the Government as BIS announced increased support for small firms to help them protect against electronic attacks.
The Technology Strategy Board has extended a scheme to allow small and medium enterprises (SMEs) to bid for up to £5,000 from a £500,000 pot to improve their cyber security by bringing in outside expertise.
And the Government has launched a parallel drive to improve cyber security skills among young people, with learning material developed for GCSE and A-level students expected to arrive in schools in September, Ms Smith said.