The average cost of cyber breaches affecting medium-sized businesses has quadrupled in the last two years, according to the latest government survey.
The Cyber Security Breaches Survey 2018, carried out by Ipsos MORI on behalf of the Department for Culture, Media and Sport, found that the estimated total cost of cyber breaches has consistently increased from £1,860 in 2016 to £3,070 in 2017 and £8,180 in 2018 – even when including breaches that do not result in lost assets or data. This represents an increase of over 400% in just two years.
In instances where breaches do result in a material loss of assets or data, the impacts can be much higher – on average £16,100 for medium-sized businesses and £22,300 for large ones. These costs can include investment in new measures, including tools and technology, to prevent against future attacks and increased staff resource.
The survey found that two thirds of medium and large businesses have identified and reported at least one breach or attack in the last 12 months.
Breaches were more often identified among organisations that hold personal data or where staff use personal devices for work.
The survey also pointed to a persistent unwillingness for cyber security issues to be addressed within organisations. Only three in ten businesses said they had board member with specific responsibility for cyber security, and only a fifth have had any staff attend internal or external cyber security training in the last 12 months.
Less than three in ten businesses reported that they had a cyber security policy, with even fewer having a cyber security incident management process in place.
Sheila Pancholi, a technology risk assurance partner at RSM commented:“This survey very clearly shows that while the cost of dealing with cyber breaches is growing, there appears to be a persistent degree of complacency when it comes to preventing and responding to cyber-attacks.
“Nine in ten directors or senior managers in medium and large businesses claim to treat cyber security as a high priority, but this doesn’t seem to be matched by action. There is much more that organisations need to do when it comes to raising staff awareness through training, identifying and managing cyber related risks and adopting good-practice technical controls. Cyber security must be made a Board level issue to ensure it gets the required level of focus in a business.
“It’s particularly interesting that the survey found that cyber breaches are more prevalent when staff are allowed to use their own personal devices for work. This is an area that we have been warning our clients about for some time and caution is needed.
“Personal devices should be managed and controlled via a formal Bring Your Own Device Policy that includes ensuring controls applied to systems managed and owned by the business are consistently applied to personal devices which staff want to use for work related purposes. This is ever more important given the impending 25thMay deadline for GDPR coming into force to strengthen personal data governance. The reality is that organisations are only as strong as the weakest link in their network.”