UK companies are suffering more cyber security incidents than their global counterparts but are falling behind others in detecting them. According to the latest Global State of Information Security report by PwC, 69% of companies experienced a security incident in the UK in the past 12 months, compared to 59% globally.
PwC interviewed 9,805 executives from more than 154 countries, including over 475 from the UK, across all industries, in the annual report that looks at the challenges faced by companies in protecting their businesses and their assets from cyber security incidents.
The number of reported security incidents around the world rose 48% to 42.8million, the equivalent of 117,339 attacks per day in 2013, according to the survey released by PwC in conjunction with CIO and CSO magazines.
Worryingly, over 22% of the UK companies surveyed say they did not detect any security incidents in the past year, compared with 16% globally and 18% in Europe. Further, 8% of UK businesses say they do not know how many security breaches they have had in the last 12 months.
Whilst 55% of UK companies say they plan to spend more on security this year, compared with 42% last year, a further 33% of companies report their spending will stay the same. The rest either plan to cut back on spend or don’t know what they will do.
By contrast, there is more uncertainty overseas about security spending, with 18% of US companies saying they do not know what they plan to spend in the year ahead.
Leadership is cited by 30% of respondents as the biggest obstacle to improving the overall effectiveness of the security function. Over a quarter of respondents (29%) do not think there is a senior executive who proactively communicates the importance of information security, up from last year.
UK respondents say the top three obstacles to improving security are: insufficient capital funding, a lack of leadership from the CEO or Board, and the lack of an effective information strategy. On a positive note, 42% of UK respondents say their boards are engaged with the overall security strategy, compared with 37% of US interviewees.
Richard Horne, cyber security partner at PwC, said: “A sizeable minority of UK businesses are underestimating the scale of the problem they face. Information security incidents are a fact of life, and a critical element of defence is the ability to detect and respond to incidents quickly before they have an impact on business. The fact that nearly a third of UK businesses either has not detected a security incident or knows that they are in the dark suggests that more attention is needed across the UK economy to protect our businesses.
“The increasing spend on information security is welcome but securing digital assets has to be embedded in the DNA of all organisations. That requires leadership and a clear strategy, which again appears to be missing in nearly a third of businesses. It is encouraging that there is better board-level engagement with security strategy and spending, and that the UK is ahead of the US in that regard, but more needs to be done.
“Cyber threats continue to evolve and no organisation can stand still. Businesses in all sectors need to prepare and refine their defences – and respond to breaches – against incredibly sophisticated attacks. This is a risk that can be managed, but it requires continual focus, leadership and commitment – not just to prevent breaches but also to detect and respond to incidents rapidly when they happen.”
The impact of security breaches has continued to affect business. Over a quarter of UK respondents say customer and employee records have been compromised; over 22% have suffered the theft of intellectual property; and 20% have suffered financial losses. In total, 70% of UK companies say they experienced some business down time as a result of security incidents this year. 59% experienced up to 24 hours of down time.
Cyber insurance is one area where companies can look to protect themselves from theft or misuse of data. Over half of UK companies have cyber insurance but another 17% do not know whether they have any cyber insurance policies in place. UK companies have been less proactive at claiming against their policies, with 34% making claims compared with 48% globally.
Finally, insiders, particularly current or former employees, are cited as a major source of security incidents by most respondents. Hackers and competitors are cited by fewer respondents as the source of outside security incidents.
Grant Waterfall, cyber security partner at PwC, said: “The results indicate that awareness of cyber security risk in the UK is improving. We're seeing the benefit of a number of Government and private sector initiatives. Although there is still some way to go, the focus for many organisations must now shift from awareness to action."
Finally, the survey reports that UK companies have embraced initiatives to address risks from mobile security, following the trend for employees to use smart phones and tablets seamlessly between work and home, but they are still not as good at implementing controls as they should be given the increasing trend in ‘bring your own device’ (BYOD). Over 56% have mobile security strategies – higher than the global figure – but 18% say they do not have any controls.