Save content
Have you found this content useful? Use the button above to save it to your profile.
AIA

Hacking attacks on the rise

by
26th Apr 2012
Save content
Have you found this content useful? Use the button above to save it to your profile.

Security breaches and network intrusions from outside agents have rocketed in the past two years, according to the 2012 PwC/BIS Information security breaches survey.

This is a major shift in the IT security landscape, where insiders have historically posed the biggest threat. But since the survey was last conducted in 2010, UK plc has come under “a relentless cyber attack”, the study found.

The vast majority of respondents had some kind of security breach in the past year: 93% of large organisations and 76% of small businesses. Seventy per cent of large organisations taking part reported significant attempts to break into their networks, the highest level of intrusion recorded since the Big Four firm started the survey in the early 1990s.

On average, each large organisation suffered 54 significant attacks by an unauthorised outsider, twice the level in 2010, while 15% of large organisations had their networks successfully penetrated by hackers. Smaller companies typically experienced one attack a month.

PwC information security partner Chris Potter offered this explanation for the discrepancy: “Large organisations are more visible to attackers, which increases the likelihood of an attack on their IT systems. They also have more staff and more staff-related breaches, which may explain why small businesses report fewer breaches than larger ones.  However, it is also true that small businesses tend to have less mature controls, and so may not detect the more sophisticated attacks.”

Phishing and impersonation

The cyber attack on corporate Britain isn’t just about sophisticated programming tricks, worms and viruses. Identity theft, impersonation and email “phishing” for log in and password details are all on the rise, with some financial services and government bodies reporting several phishing attempts a day.

With bogus tax refund emails particularly rife around the end of Self Assessment season, HMRC has issued repeated warnings about phishing - particularly after several accountants found that their SA Online accounts had been hacked in 2009.

Customer impersonation has increased threefold since 2008 and 9% of respondents reported that an outsider had stolen confidential data, with financial services and utilities providers the worst affected.

Data protection

The rising external threat doesn’t mean that everything is rosy behind the corporate firewalls: 45% of large organisations admitted breaching data protection laws in the last year, as often as once a day at 10% of them. One in five small businesses lost confidential data, and 80% of these breaches

were classed as serious.

Training

According to PwC, the most serious IT security breaches result from failings in a combination of people, process and technology and the only way to redress the issues is to invest equally in all three. While the threats are changing, the lack of attention to data security remains consistent from previous years. Three quarters of those organisations that admitted their security policies were poorly understood had staff-related breaches, and more than half (54%) of small businesses had no programme for educating staff about security risks.

In contrast, 60% of large organisations invest in security awareness training, up by 10% on 2010 levels.

On average, organisations spend 8% of their IT budget on information security, and those that suffered a very serious breach were found to spend on average 6.5% of their IT budget on security. 

Cost of incidents

Systems failures, hacking attacks and viruses all took their toll during the past two years. And while most of the regulatory breaches mentioned did not take systems out of action, half of them still disrupted business operations, for example by diverting management attention to investigations or draining resources from other activities - as HMRC found when it misplaced two CD-ROMs containing child benefit data several years ago.

The worst breaches (around 5%) led to more than a week of disruption, with some continuing for more than a month.

In its financial analysis of the costs of these incidents, PwC found that the indirect cost of staff time responding to a breach can easily outweigh its direct cost. With internal issues such as staff misuse, much of the cost can be taken up with investigating what went wrong and compiling evidence to support disciplinary or legal proceedings, which can be particularly costly. For others episodes such as accidental systems failures, the costs are eaten up by restoring systems to full function and changing processes to prevent similar incidents from happening again.

Overall, however, the cost of business disruption from the worst breaches have nearly halved since 2010, falling back to near the levels seen in 2008, as the table below illustrates.

“Our best estimate of the total cost to UK plc is in the order of several billion pounds per annum,” PwC concluded.

Small firms

Large organisations

Business disruption

£7,000 - £14,000

over 1-2 days

£60,000 - £120,000

over 1-2 days

Time spent responding to incident

£600 - £1,500

2-5 man-days

£6,000 - £13,000

15-30 man-days

Direct cash spent responding to incident

£1,000 - £3,000

£25,000 - £40,000

Direct financial loss (eg loss of assets, fines, etc)

£2,500 - £4,000

£13,000 - £22,000

Indirect financial loss (eg theft of intellectual property)

£4,000 - £7,000

£5,000 - £10,000

Damage to reputation

£100 - £1,000

£5,000 - £40,000

Total cost of worst incident on average

£15,000 - £30,000

£110,000 - £250,000

2010 comparative

£27,500 -
£55,000

£280,000 - £690,000

2008 comparative

£10,000 - £20,000

£90,000 - £170,000

In spite of the rising threats, and repeated warnings, PwC still found some evidence of complacency among large organisations.  Some 12% of businesses said senior management give a low priority to security, while 20% spent less than 1% of their IT budget on information security. 

According to PwC’s Chris Potter, one of the reasons for such low investment in security defences is that companies find hard to measure the business benefits. Only 20% of large organisations evaluate return on investment on their security expenditure.

“Organisations that suffered a very serious breach during the year spent slightly below the overall average on security. The key challenge is to evaluate and communicate the business benefits from investing in security controls. Otherwise, organisations end up paying more overall,” Potter said.

“Given that most organisations take a lot of action after a breach to tighten up their security, scrimping and saving on security creates a false economy.  The cost of dealing with breaches and the knee-jerk responses afterwards usually outweigh the cost of prevention.

“If security is doing its job it goes unnoticed and it’s hard to measure the business benefits, so investment in security often ends up losing out against other competing business priorities.

“Whether you are a large company or a small one, the challenge is to make sure the money you spend on security is well targeted - evaluating the effectiveness of your security expenditure is vital if you are to stay ahead of the emerging threats.” 

Tags:

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.