The average cost of cyber breaches affecting medium-sized businesses has quadrupled in the last two years, according to the latest government survey.
The Cyber Security Breaches Survey 2018 carried out by Ipsos MORI on behalf of the Department for Culture, Media and Sport found that the estimated total cost of cyber breaches has consistently increased from £1,860 in 2016 to £3,070 in 2017 and £8,180 in 2018 – even when including breaches that do not result in lost assets or data.
This represents an increase of over 400 per cent in just two years.
In instances where breaches do result in a material loss of assets or data, the impacts can be much higher – on average £16,100 for medium sized businesses and £22,300 for large businesses.
These costs can include investment in new measures, including tools and technology, to prevent against future attacks and increased staff resource.
The survey found that two thirds (65 per cent) of medium and large businesses have identified and reported at least one breach or attack in the last 12 months.
Breaches were more often identified among organisations that hold personal data or where staff use personal devices for work.
The survey also pointed to a persistent unwillingness for cyber security issues to be addressed within organisations.
Only three in ten businesses (30 per cent) said they had board member with specific responsibility for cyber security, and only a fifth of businesses (20 per cent) have had any staff attend internal or external cyber security training in the last 12 months.
Less than three in 10 businesses reported that they had a cyber security policy, with even fewer (13 per cent) stating they had a cyber security incident management process in place.
“This survey very clearly shows that while the cost of dealing with cyber breaches is growing, there appears to be a persistent degree of complacency when it comes to preventing and responding to cyber-attacks,” said David Morris, technology risk assurance director at RSM.
“Nine in ten directors or senior managers in medium and large business claim to treat cyber security as a high priority but this doesn’t seem to be matched by action.
“There is much more that organisations need to do when it comes to raising staff awareness through training, identifying and managing cyber related risks and adopting good-practice technical controls.
“Cyber security must be made a Board level issue to ensure it gets the required level of focus in a business.
“It’s particularly interesting that the survey found that cyber breaches are more prevalent when staff are allowed to use their own personal devices for work.
“This is an area that we have been warning our clients about for some time and caution is needed.
Morris suggests that personal devices should be managed and controlled via a formal Bring Your Own Device Policy (BYOD).
This includes ensuring that controls applied to systems which are managed and owned by the business are also consistently applied to personal devices which staff want to use for work-related purposes.
“This is ever more important given the impending 25 of May deadline for GDPR coming into force to strengthen personal data governance,” he said.
“The reality is that organisations are only as strong as the weakest link in their network.”