Nearly one in five organisations don’t prepare or drill for cyber attacks
Three in 10 don’t know how many cyber attacks they suffered last year
A third don’t know the likely the cause of incidents
Only just over half have a cross-organisational team in place working on cyber security issues
The cyber security risk to UK organisations continues to increase in both severity and impact, but nearly one in five (17%) admit they don’t prepare or drill for cyber attacks, and fewer than half (49%) conduct penetration tests to examine their defences.
PwC’s Global State of Information Security Survey 2018 finds that more than a quarter of UK organisations (28%) don’t know how many cyber attacks they suffered in the past year and a third (33%) admit to not knowing how the incidents they faced occurred. The annual study is based on interviews with 9,500 senior business and technology executives from 122 countries, including 560 UK respondents spanning large to small businesses and public sector organisations.
Richard Horne, cyber security partner at PwC, commented:
“Cyber attacks could happen to any organisation at any time, so it’s important that all businesses and public sector organisations are getting the basics right and continually testing their approach to prepare themselves in the right way. In that critical moment when an attack hits, the ability to act quickly and effectively is key to minimising business disruption and reputational harm.”
Collaboration is key
UK organisations remain more reluctant than their global peers to join forces with others in the fight to reduce cyber risk. Only two in five UK respondents (44%) formally collaborate with others in their industry to improve security and reduce the potential for future risks, compared with 54% across Europe and 58% globally.
Even within their own organisation, only just over half of UK respondents (53%) have a cross-organisational team in place – including leaders from finance, legal, risk, human resources, and IT/security – which meets regularly to coordinate and communicate information security issues.
Richard Horne commented:
“Cyber security needs to be viewed as a ‘team sport’ rather than just an issue for the IT team. To be most effective, everyone in an organisation should be considering the security implications of their actions. Pulling a business together like that requires strong leadership from the top.
“Working with others across the public and private sector is key too. Forging close working collaborations and sharing intelligence is often the best way to tackle the latest threats. New forms of attack require new ways of working to defend our society.”
Business impact and preparedness
Whilst only 14% of UK companies reported facing direct financial losses as a result of security incidents, and the average total financial cost of incidents actually decreasing this year to £857,000, the impact of these breaches was felt more widely across both business operations and data:
UK organisations faced an average of 19 hours down-time due to security incidents;
23% had customer records compromised;
20% had employee records compromised; and
21% reported loss or damage of internal records.
Despite this, fewer UK organisations have a cyber insurance policy in place to cover the various impacts of breaches (UK: 44%; global: 58%).
Breaching UK organisations by targeting their employees is increasingly the most common cause of incidents, responsible for over a quarter of all attacks (27%; up from 20% last year). Whereas the average global attack is most likely to come from a mobile device being breached (29%).
The average information security budget amongst UK businesses and public sector organisations last year was £3.9m. The majority (64%) of organisations surveyed have an overall security strategy in place and 53% agree that spending is based exclusively on risk. However, only 34% have boards actively participating in the strategy compared to the global average of 44%.
Notes to editors:
The Global State of Information Security® Survey 2018 is a worldwide study by PwC, CIO and CSO. It was conducted online from April 24, 2017, to May 26, 2017. Readers of CIO and CSO and clients of PwC from 122 countries were invited via email to take the survey.
The results discussed in this report are based on the responses of more than 9,500 business and IT executives including CEOs, CFOs, CISOs, CIOs, CSOs, vice presidents, and directors of IT and information security from 122 countries. 38% of respondents were from North America, 29% from Europe, 18% from Asia Pacific, 14% from South America, and 1% from the Middle East and Africa.
A range of public and private organisations were surveyed: 28% of respondents were from small businesses with under $100m annual revenue, 46% of respondents were from organisations with revenue of $500 million+ and 4% were non-profit, government or education bodies.
CIO focuses on attracting the highest concentration of enterprise CIOs and business technology executives with unparalleled peer insight and expertise on business strategy, innovation, and leadership. As organizations grow with digital transformation, CIO provides its readers with key insights on career development, including certifications, hiring practices and skills development. The award-winning CIO portfolio—CIO.com, CIO executive programs, CIO Strategic Marketing Services, CIO Forum on LinkedIn, CIO Executive Council and CIO primary research—provides business technology leaders with analysis and insight on information technology trends and a keen understanding of IT’s role in achieving business goals. The CIO Executive Council is a professional organization of CIOs created to serve as an unbiased and trusted peer advisory group. CIO is published by IDG Communications, Inc. Company information is available at www.idg.com.
CSO is the premier content and community resource for security decision-makers leading “business risk management” efforts within their organization. For more than 15 years, CSO’s award-winning website (CSOonline.com), executive conferences, strategic marketing solutions and research have equipped security decision-makers to mitigate both IT and corporate/physical risk for their organizations and provided opportunities for security vendors looking to reach this audience. Based on editorial coverage and design, the Folio Eddie awards named CSOonline.com as the best BtoB Technology Website in 2015 and 2016. To assist CSOs in educating their organizations’ employees on corporate and personal security practices, CSO also produces the quarterly newsletter Security Smart. CSO is published by IDG Communications, Inc. Company information is available at www.idg.com.
At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 223,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com.
PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. © 2017 PwC. All rights reserved
Manager, media relations, PwC United Kingdom
Tel: +44 (0)7841 467 421