With so much happening in cyber security around the world lately, we're highlighting some of the interesting stories each week from across Europe, Middle East, Africa and Asia Pacific. This week we're in the United Kingdom where the 2014 Information Security Breaches Survey was launched at InfoSecurity Europe…
The UK government has published the Information Security Breaches Survey every year since the early 90s with the aim of increasing awareness of security risks. It's an interesting read and provides quantifiable insight into the current state of security across UK businesses. This year's report found that over 80% of large organisations and 60% of small organisations had a security breach in the last year. What's more alarming is that breaches are costing twice as much as last year – the average cost of a breach to a large organisation is now £600k to £1.15m (US$1.0m to US$2.0m). This is predominantly driven by the costs of business disruption, incidence response, and lost assets and intellectual property.
Given the high costs, it doesn't surprise anyone that security continues to be top of mind UK businesses. Around 80% of senior management ranking it as a high or very high priority and almost the same percentage have briefed their board on security risks in the last year. Echoing the findings in the Verizon 2014 Data Breach Investigations Report, detection is where it all falls apart. The majority of breaches take longer than a day to detect, while 14% of organisations took longer than a month to detect a breach, up from 9% last year. A bit of a worry is that 1 in 10 organisations discovered they had been breached by accident – you have to wonder if there are many more breaches that have yet to be discovered.
Other similar insights to the Verizon 2014 DBIR include the need to get the basics right…
“Continuing the worrying trend we saw in 2013, many organisations still don't take patching seriously leaving themselves vulnerable to attack.”
…and phishing as a dangerous attack vector:
“The volume of such attacks is very concerning – 9% of the affected organisations have to deal with phishing attacks several times a day and 5% of them receive hundreds of attacks a day.”
Finally, the report highlighted the changing IT environment; 5 in 6 UK businesses are now using some kind of cloud service, with the adoption of cloud storage growing the most since last year. Just over half of large organisations and three quarters of small organisations allow staff to bring their own device, with issuing a security policy being the most popular approach for mitigating the risk. While having a policy in place is important, it's essential to also have visibility of what your users are doing in order to enforce these policies. Rapid7 UserInsight was developed to give organisations visibility of user activity within the firewall, on mobile devices or cloud services. Try UserInsight for free here.