8 in 10 small UK firms hacked last year - at £65k a pop: Report
Poor security practices blamed, according to gov survey
Infosec 2013 Over 80 per cent of small businesses in the UK suffered a computer security breach last year, according to new government research. And the proportion of large firms that reported attacks has reached a whopping 93 per cent.
The Department for Business, Innovation and Skills' 2013 hacking survey found that 87 per cent of small businesses across all sectors had experienced a breach in the last year. This is up more than 10 percentage points on the previous year's figures. The department is hoping its "Innovation Vouchers" incentive scheme will allow these businesses to protect their assets from the costly attacks.
The department's Technology Strategy Board is extending its Innovation Vouchers scheme to allow SMEs to bid for up to £5,000 from a £500,000 pot to improve their cyber security using external expertise. BIS is also publishing guidance to help small businesses give cybersecurity a higher profile in their businesses.
The average attack caused a Blighty SMB between £35,000 and £65,000 worth of damage - while large firms breaches set them back by an average of £450,000 to £850,000, although several individual breaches cost more than £1m.
Minister for Universities and Science David Willetts said: “Keeping electronic information safe and secure is vital to a business’s bottom line. Companies are more at risk than ever of having their cyber security compromised, in particular small businesses, and no sector is immune from attack. But there are simple steps that can be taken to prevent the majority of incidents.
“The package of support we are announcing today will help small businesses protect valuable assets like financial information, websites, equipment, software and intellectual property, driving growth and keeping UK businesses ahead in the global race.”
The survey, out Tuesday, also revealed that 93 per cent of large organisations (those which employ more than 250 workers) had reported breaches in the past year. The median number of breaches suffered was 113 for a large organisation (up from 71 a year ago) and 17 for a small business (up from 11 a year ago).
Both figures suggest that companies which report hacker attacks are doing so more often. Over three in four (78 per cent) large organisations that responded said they'd been attacked by an unauthorised outsider (up from 73 per cent a year ago) and 63 per cent of small businesses said the same (up from 41 per cent a year ago).
Twelve per cent of respondents said the worst security breaches were partly caused by senior management giving insufficient priority to security.
According to the survey, 36 per cent of the "worst security breaches" were caused by inadvertent human error.
Andrew Miller, PwC information security director, said: “Spending on cyber control as a percentage of an organisation’s IT budget is up this year from an average of 8 per cent to 10 per cent, but the number of breaches and their impact is also up as well so it is clear that there is work to be done in measuring the effectiveness of the security spend."
Mike Cherry, national policy chairman of the Federation of Small Businesses, welcomed the government's push to improve security at UK SMEs.
“Cybersecurity is an increasing risk for small and micro businesses and more and more, a barrier to growth. The FSB is very pleased to see the government announce a package of measures including specific guidance for small firms, helping them take steps towards more effective cybersecurity."
According to Government Communications Headquarters, four in five (80 per cent or more) of currently successful attacks can be prevented by simple best practice, such as ensuring staff do not open suspicious-looking emails or ensuring sensitive data is encrypted.
The 2013 Information Security Breaches Survey (ISBS) was funded by BIS and carried out by PwC in conjunction with the Infosecurity Europe trade show. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust