British businesses have seen a rise in data breaches as they fail to protect against threats brought in by the adoption of new technologies, according to research by PricewaterhouseCoopers.
In addition, infections of computer systems have trebled in two years for large UK companies, according to the auditor's Information Security Breaches Survey 2010, published on Wednesday. PricewaterhouseCoopers (PwC) polled 539 companies for the report, which is published every two years.
"Organisations are really struggling," said Chris Potter, a OneSecurity partner with PwC, at the Infosecurity Europe 2010 conference in London. "The overall context is pretty gloomy."
Sixty-two percent of large businesses reported infection by a virus or malicious software in the last year, compared with 21 percent in 2008. Reports of attempted break-ins to systems have nearly doubled, from 31 percent to 61 percent. Denial-of-service attacks have also increased, up from 11 percent to 25 percent. Overall, 92 percent of large enterprises said they had been hit by a security incident in the past year.
"Fifteen percent of large organisations detected successful penetration of their systems and networks over the past year," said Potter. "Large organisations hold data on all of us. Are you comfortable that one in six organisations have hackers crawling around their networks looking at your data?"
Big businesses are also having to pay out more to deal with security problems. The average cost of dealing with the worst incident seen rose from £90,000-£170,000 to £280,000-£690,000.
Small companies — those with fewer than 50 staff — have also been hit harder, with 83 percent saying they had seen a security incident in the past year. That compares with 45 percent in the last PwC report. In addition, the average cost to small organisations of dealing with a severe incident rose from £10,000-£20,000 to £27,500-£55,000.
The issue is not that businesses are spending less on information security, but that they are implementing technologies without thinking through the possible security ramifications, according to Potter.
Technologies experiencing rapid uptake in businesses include software-as-a-service (SaaS) and cloud computing, virtualisation and VoIP. Forty-seven percent of those polled said they now use VoIP, compared with 17 percent two years ago. Furthermore, 85 percent now use a wireless network, compared with 42 percent previously.
Many of the data breaches occurred due to human error or misconfiguration of systems, according to Potter. He suggested that companies should think about information security when bringing in new technologies, including following international security standards such as ISO 17799.
Security expert and Jericho Forum board member Adrian Seccombe said businesses were definitely rushing to implement new technologies, and suffering as a consequence. However, he said technology vendors themselves were not building security in from the beginning, which they should be doing.
"We still suffer from bolt-on security syndrome," said Seccombe. "I'd blame it on the vendors of products and services. People who roll out technologies without architecting security in from the beginning are those who are at fault."
Talkback
Another bit of research, this time from the Ponemon Institute, reveals that the UK has the lowest cost per breached record to companies in terms of associated post-security-breach activity. In the UK it's USD $98 per record compared to $204 for the USA, and the UK is some 45% below the global average per breached record.
Interestingly, the US has some of the toughest disclosure regulations while the UK has been somewhat lightweight on the matter of breach disclosure regulation outside of the public sector and financial sector. I will be watching closely to see if the new Information Commissioner’s Office powers to slap £500,000 fines on those breached companies found to be lacking in security and determined to have suffered a ‘deliberate or negligent’ breach of personal data changes the figures next year.
I suspect that it will. Forget educating business to be better at security, that hasn't worked. What will work is to make it too expensive to be insecure, the bean counters will make sure of that.