UK organisations doubled their information security budgets last year, spending £6.2m on average (compared with £3m in 2015), and over one and a half times more than their global counterparts (the average spend is £3.9m). Despite this, nearly a fifth (18 per cent) don’t know how many cyberattacks they experienced last year and 17 per cent of all respondents don’t know the probable source of security incidents, according to PwC’s latest annual Global State of Information Security Survey 2017. Security incidents now cost organisations an average of £2.6m (up from £1.7m last year) and executives around the world are realising that they cannot afford to ignore protecting their assets, researchers said.
The survey was produced in conjunction with CIO and CSO, based on interviews with over 10,000 executives from more than 133 countries, including 479 UK respondents. Key findings include:
- 18 per cent of UK organisations don’t know how many cyberattacks they suffered last year.
- Nearly eight in ten experienced down-time because of security incidents.
- The average number of security incidents faced by UK companies increased by 23 per cent to 5,792.
- Incidents now cost an average of £2.6m, up 53 per cent from last year.
- Only 28 per cent of UK boards are involved in setting security strategy.
- Current employees continue to be the top insider risk, but increasingly business partners are also a risk.
“We’re beginning to see a shift in thinking. Organisations have come to realise that they can’t view cybersecurity as just a cost or barrier to change given the many high-profile incidents we’ve seen recently,” said Richard Horne, UK cybersecurity partner at PwC. “Getting security right is not only essential to the day-to-day running of a business, but can even be a competitive advantage, help to drive business growth and build brand trust.”
The survey found that UK boards are less involved than those in other markets in setting the security budget and, more importantly, the strategy. The sets security budgets in only a third of UK companies (33 per cent) (compared with a global average of 39 per cent) and even fewer (28 per cent) are involved in security strategy (compared with 42.5 per cent globally).“Cyber security is far more than just building security controls – it’s about changing your organisation to be securable,” Horne added. “That requires all aspects of a business to be engaged, to make tough decisions at board level, and embed consideration of cybersecurity risk in all decision-making processes.
Although the main insider risk and source of incidents for UK organisations continues to be current employees (with former employees a close second), service providers, consultants and contractors are increasingly likely to be the cause of cyber-threat to a business. Phishing still works to target these groups – 37 per cent of cybersecurity breaches were reportedly caused by phishing incidents.
“Instilling a cyber-aware culture in an organisation, and controlling who has access to what information, continues to be of utmost importance. Even with the best technology available on the market, employees can still be your weakest link,” Horne warned. “But when trying to assess your ‘insider’ risk, it’s important to look not only at your internal data, people and processes, but also at the third party relationships closely connected to your business – that is where the threat increasingly lies.”