Infosec 2010: Large firms overwhelmed by security breaches

Companies are struggling to adapt and change to the new threat landscape

A staggering 92 per cent of large organisations have suffered a security incident or data breach in the past year, as they struggle to cope with the changing threat landscape, according to the latest biennial Information Security Breaches Survey from PricewaterhouseCoopers (PwC).

PwC partner Chris Potter branded the findings, launched today at Infosec 2010, "surprisingly bad", and said that companies are struggling to mitigate the increased external threat levels and the large numbers of accidental breaches from insiders.

"We weren't expecting the results to be as significant as that. Right now it looks quite serious in terms of the costs," he said.

"People are maintaining expenditure on security, but serious threats are rising and people are having to adapt and change to the new threat landscape."

The report found that the median number of data breaches rose from five two years ago to 45 today, and that the average costs had risen roughly threefold. Breaches totalled around £10bn in costs, with a big increase in the cost of reputation damage.

"If you don't have a contingency plan in place, or you have a rubbish contingency plan, this will add to the cost of breaches," said Potter.

"It really is important that organisations carry out that risk assessment, and consider breaches happening in other organisations and ensure that they have a plan in place to deal with them in their own organisation."

Worryingly, respondents to the survey were pessimistic about the future. Four times as many people predicted that there will be more incidents next year than those who thought there would be fewer.

However, it was not all bad news. The number of large organisations implementing the ISO27001 standard had risen from 17 per cent to 26 per cent since the last report, while the number implementing hard disk encryption had risen from 16 per cent to 75 per cent.

But, despite spending levels remaining steady through the recession, security awareness training remains "inadequate", according to PwC.

"You need a combination of people, process and technology to be effective, and the good news is that companies are recognising this," said Potter.

"Organisations face two challenges: how to control the people in their organisation; and how to get assurance from all the third parties they deal with that they're doing the right thing."