The number of security breaches has increased in the past year, with the scale and cost nearly doubling. The average cost of the worst breaches at large UK organisations is between £1.4m (€1.92m) and £3.14m (€4.27m), according to the UK government’s 2015 information security breaches survey conducted by PwC.

This translates into an increase of 233% to 273% from a year ago, while the cost of breaches for small businesses is between £75,000 (€102,000) and £311,000 (€423,000), up by between 115% and 270% from 2014.
The number of organisations suffering breaches is also increasing.

• 90% of large organisations reported breaches, up from 81% a year ago.
• 74% of small organisations said they had been breached, up from 60% in 2014.

The majority of UK businesses polled expect that breaches will continue to increase in the coming year. The survey showed 59% of respondents expect to see more security incidents. While all sizes of organisations continue to experience external attacks, there appears to have been a slow change in the character of these attacks, the survey revealed.

Large and small organisations appear to be subject to greater targeting by outsiders, with malicious software impacting nearly 75% of large organisations and 60% of small organisations. There was, however, a marked increase in small organisations suffering from malware, up by 36% compared with a year ago.

Staff-related incidents, board awareness and risk assessments
The 2015 survey also features staff-related incidents with 75% of large organisations suffering a staff-related breach, up from 58% a year ago, and nearly a third of small organisations, up from 22% in 2014. When asked about the single worst breach, half of the organisations polled attributed the cause to inadvertent human error, up from 31% a year ago.

This increase is despite the fact that security training is being done by 72% of large organisations, up from 68% a year ago, while 63% of small businesses are providing training, up from 54% in 2014.

But the survey revealed that 21% of respondents have not briefed their board in the past year, while 14% said they have never briefed their board on security risks. And only 26% of organisations stated that responsibility for ensuring data is protected is very clear, while 33% said it was not clear.

There was, however, a slight increase in the proportion of organisations where senior management is viewed as giving security a “high” or “very high” priority, up to 82% from 79% a year ago. But some 28% of respondents cited that a “lack of priority” from senior management was a contributing factor to their single worst breach, up from just 7% in 2014.

The survey uncovered that nearly a third of organisations have not conducted any form of security risk assessment, up from 20% a year ago. The report said this reverses the trend of the past two years and raises the question whether businesses have the required skills or experience.