Two thirds of large firms breached last year, government finds

Digital economy minister Ed Vaizey says results of government-backed research shows there is a gap between awareness and action

A government minister has called on UK firms to "change their behaviour" following research suggesting nearly a quarter were hit by a cyberbreach or attack in the past year.

In a foreword to the research, minister for the digital economy Ed Vaizey (pictured) argued that the results of the government-backed survey showed there is a "gap between awareness and action" on cybersecurity.

Commissioned by the Department for Culture, Media and Sport, the research was carried out by Ipos Mori and involved a telephone survey of 1,008 UK businesses and 30 in-depth interviews.

Some 65 per cent of large firms with 250 staff quizzed said they had suffered at least one breach in the past 12 months. The equivalent figure for medium-sized (50 to 249 employees), small (10 to 49 employees) and micro-businesses (two to nine employees) falls to 51, 33 and 17 per cent respectively, giving an overall figure of 24 per cent.

By far the most common type of breaches experienced across businesses of all sizes are virus, spyware or malware (68 per cent) and those involving impersonation of the organisation (32 per cent), the research found.

The research's other key findings include:

- The estimated average cost of all breaches was £3,480, rising to £36,500 for large firms. However, this figure is probably an underestimate, the research concluded, due to the difficulty firms have in estimating indirect costs such as lost staff time.

- The mean investment in cybersecurity in the last financial year for all firms was £4,065. Large firms forked out an average of £269,000, medium-sized firms £24,100 and micro/small firms £2,290.

- Fourty-four per cent of firms outsource their cybersecurity to external providers. That figure rises to 63 and 66 per cent for small and medium-sized firms respectively.

Despite chiding firms for not doing enough, Vaizey stressed that there is a "lot of good news" in the survey.

This includes the fact that nearly half (48 per cent) of those quizzed were found to have technical controls in the five areas set out in the government's Cyber Essential scheme, namely regularly updating software (88 per cent) and malware protections (83 per cent), configuring firewalls (85 per cent), restricting IT access to specific users (77 per cent) and placing security controls on company-owned devices (62 per cent).

"Everyone I talk to agrees the threat is significant and needs to be tackled, but there is a gap between awareness and action, which is highlighted in this report," Vaizey said.

"We see a steady stream of breaches and attacks on firms which assume they are on top of security, but still haven't got a good understanding of the possible impact on their business or what they should do about it."

Ian Kilpatrick, chairman of security distributor Wick Hill, said failure to plan for a breach means that companies do not analyse what's important to protect inside the perimeter, or deploy adequate security to defend it.

"The challenge is to not over-defend and then think that deploying lots of security will bring security, but to deploy and report on the correct solutions," he said. "And to train and manage staff so that they are aware of the risks they expose their companies to."