UK organisations doubled their information security budgets last year, spending £6.2m on average (2015: £3m), and over one and a half times more than their global counterparts (average spend £3.9m).
Despite this, nearly a fifth (18%) don’t know how many cyber-attacks they experienced last year and 17% of all respondents don’t know the likely source of security incidents.
In the week the new National Cyber Security Centre opened in the UK, PwC has published the findings of its latest annual Global State of Information Security Survey 2017, produced in conjunction with CIO and CSO, based on interviews with over 10,000 executives from more than 133 countries, including 479 UK respondents.
With security incidents now costing an organisation an average of £2.6m (up from £1.7m last year, an increase of 53%), executives around the world are waking up to the fact that they can no longer afford to take a passive approach to protecting their assets, leading to the increase in budgets.
Boards in the UK aren’t getting as involved as other markets either in setting the security budget, or more importantly the strategy. Only a third of UK companies (33%) have the board involved in setting security budgets compared to the 39% global average, and even fewer (28%) partake in the strategy (42.5% globally).
Not only have the average number of security incidents UK companies faces increased by 23% in the last year to 5,792, but the threat landscape is also changing. The top insider risk and source of incidents for UK organisations continues to be current employees, with former employees a close second, but current service providers, consultants or contractors are increasingly likely to be the cause of cyber threat to a business now too.
It’s also clear that phishing still works to target these groups, with the majority of cyber security breaches reportedly caused by phishing incidents (37%).
Security incidents are now costing organisations more and 79% of UK companies have suffered down-time because of them. Despite this, this year’s study showed a decrease in the number of UK companies who are investing in cyber insurance. In the previous study, 59% had a cyber insurance policy, but in the last year this has decreased to only 38% of respondents reporting to have one (and 10% of these don’t even know what it covers), compared to 53% globally.
UK organisations are also more likely than the rest of the world to keep their cards close to their chest and not share security knowledge with others. Only 40% collaborate with others to reduce future risks, compared to over half across Europe (52%) and globally (55%).
Richard Horne, UK cyber security partner at PwC said:
“We’re beginning to see a shift in thinking. Organisations have come to realise that they can’t view cyber security as just a cost or barrier to change given the many high profile incidents we’ve seen recently.
Getting security right is not only essential to the day-to-day running of a business, but can even be a competitive advantage, help to drive business growth and build brand trust.
Cyber security is far more than just building security controls – it’s about changing your organisation to be securable.
That requires all aspects of a business to be engaged, to make tough decisions at board level, and embed consideration of cyber security risk in all decision-making processes.
It’s not just about having more budget to buy more technology to patch cyber security holes. UK organisations need to take a more strategic approach to how they spend their increased budgets to start to see a real uptick in security posture.
Instilling a cyber-aware culture in an organisation, and controlling who has access to what information, continues to be of utmost importance. Even with the best technology available on the market, employees can still be your weakest link.
But when trying to assess your ‘insider’ risk, it’s important to look not only at your internal data, people and processes, but also at the third party relationships closely connected to your business – that is where the threat increasingly lies.
UK companies remain wary about sharing security knowledge, but working with partners within a particular industry can significantly improve threat intelligence awareness and an organisation’s ability to spot potential incidents before they escalate.
The organisations that get their approach to cyber security right are the ones that will prosper, build trusted brands and sustained value.”