The Department for Business, Innovation and Skills (BIS) said that the average cost of reputational damage to large UK organisations stemming from breaches was between £50,000 and £180,000 in 2013, up from £25,000 to £115,000 in 2012.
"Reputational damage seemed to affect large organisations much more than the small ones," the BIS report on its information security breaches survey (22-page / 1.15MB PDF) said. "Although almost 70% of companies were able to keep knowledge of their worst incident internal, there was a large rise in adverse media coverage of security breaches."
EU privacy watchdog the Article 29 Working Party recently published guidance on reporting personal data breaches to regulators and the public. The guidance said businesses should consider the "likely secondary effects" of a data breach when determining whether to notify individuals about those cases.
The recommendations were aimed specifically at providers of publicly available electronic communications services in the EU who are under certain legal obligations to notify regulators and individuals about certain personal data breaches they experience. However, the Working Party said that it would be "good practice" for all organisations to follow the guidance. Proposed new EU data protection laws would, though, extend data breach notification obligations to all organisations under certain circumstances.
The survey, conducted by PwC on behalf of BIS, quizzed 1,125 respondents from businesses of varying sizes operating in a range of sectors in the UK about information security breach incidents affecting their organisation. IT professionals made up approximately a third of all respondents, with business managers, executives, non-executive directors among the others who participated. Around half of the respondents were from businesses based in London or the south east of England.
Upon analysing the survey's findings, BIS estimated that the cost facing businesses in dealing with information security breach incidents nearly doubled in 2013 compared to 2012, with the total cost soaring into billions of pounds. BIS said that "adverse media coverage of security breaches" was behind a "huge rise in the average cost of organisations’ worst breach of the year".
"Using the same basis as previous surveys, the cost of the worst breach of the year has nearly doubled last year’s figures to £65,000-£115,000 for small businesses and £600,000-£1,150,000 for large organisations," the report said. "As always, extrapolation of cost data across the whole of the UK should be treated with caution, especially given the self-select nature of the survey and the response levels for some of the questions. However, based on the number of breaches and the cost of the worst breaches, we estimate that the total cost of breaches has roughly doubled from 2013 and is in the order of billions of pounds per annum."
The survey revealed that the proportion of respondents that said their organisation had experienced a data security breach in the past year had fallen in comparison to 2012 figures, together with the average number of breaches organisations also identified. However, 81% of respondents from large organisations said that their business had experienced a data breach in 2013, with 16 being the median number experienced by each of those organisations during the year.
According to the survey, almost three quarters of all UK large businesses "suffered from infection by viruses or malicious software in the past year", although fewer companies reported attacks from unauthorised outsiders. More than one in ten large organisations (16%) know that their intellectual property or other confidential data was stolen by external hackers in 2013, it said.
The report also detailed a fall in the proportion of large organisations seeing "staff-related security breaches", although 58% of such companies still experienced such incidents, down from 73% in 2012. However, more than half of "the worst security breaches in the year" reported by businesses could be traced back to "inadvertent human error" (31%) or "deliberate misuse of systems by staff" (20%).
More than half of large UK businesses (52%) now have "insurance that would cover them in the event of a breach", the survey also revealed. A third of UK organisations do not have a contingency plan in place to deal with information security incidents when they arise, although just 43% of respondents said their contingency plans had proved effective.
"The sharp increase in the costs associated with security breaches underlines the fact that cyber security is a significant business risk that must be taken seriously," UK minister for universities and science David Willetts said. "Government is focusing its efforts on working in partnership with industry, academia and international partners. The benefits of a stable and secure cyberspace are a clear driver for a shared responsibility in improving the UK’s cyber security."