Despite UK businesses doubling spend on security budgets, companies are still in the dark as to how many cyber-attacks are hitting their business.
According to PwC’s annual Global State of Information Security Survey 2017, UK businesses are spending £6.2m on average (2015: £3m), and over one and a half times more than their global counterparts (average spend £3.9m) on security budgets. Nearly a fifth, however, don’t know how many cyber-attacks they experienced last year and 17% of all respondents don’t know the likely source of breaches and security incidents.
The findings should prove a massive wake-up call to businesses, especially as security incidents now cost organisations an average of £2.6m – up from £1.7m last year. Not only is the cost of security incidents rising, but the volume of attacks are evolving and also increasing in number. Security incidents targeting UK companies increased by 23% in the last year to 5,792, with phishing still the most effective attack method with 37% of breaches blamed on phishing attacks.
Richard Horne, UK cyber security partner at PwC, argues that executives can no longer afford to take a passive approach to protecting their assets, saying:
“We’re beginning to see a shift in thinking. Organisations have come to realise that they can’t view cyber security as just a cost or barrier to change given the many high profile incidents we’ve seen recently.
“Getting security right is not only essential to the day-to-day running of a business, but can even be a competitive advantage, help to drive business growth and build brand trust.”
However, this means that UK boards need to get more involved – a huge task as the report shows that the UK is falling behind other countries when it comes to board engagement. Only a third of UK companies have the board involved in setting security budgets compared to the 39% global average, and even fewer (28%) partake in the strategy (42.5% globally).
“That requires all aspects of a business to be engaged, to make tough decisions at board level, and embed consideration of cyber security risk in all decision-making processes,” said Mr Horne.
“It’s not just about having more budget to buy more technology to patch cyber security holes. UK organisations need to take a more strategic approach to how they spend their increased budgets to start to see a real uptick in security posture.”
The report also put the spotlight on the apparent lack of cyber insurance take-up, with this year’s study showed a decrease in the number of UK companies who are investing in cyber insurance. In the previous study, 59% had a cyber insurance policy, but in the last year this has decreased to only 38% of respondents reporting to have one, with 10% of these not even knowing what it covers.
UK organisations were also found to be quite reluctant in sharing security information, with only 40% collaborating with others to reduce future risks, compared to over half across Europe (52%) and globally (55%).
“UK companies remain wary about sharing security knowledge, but working with partners within a particular industry can significantly improve threat intelligence awareness and an organisation’s ability to spot potential incidents before they escalate,” said Mr Horne.
“The organisations that get their approach to cyber security right are the ones that will prosper, build trusted brands and sustained value.”