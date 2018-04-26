Study finds

The average cost of cyber breaches affecting medium sized businesses has quadrupled in the last two years according to the latest government survey.

The Cyber Security Breaches Survey 2018 carried out by Ipsos MORI on behalf of the Department for Culture, Media and Sport, found that the estimated total cost of cyber breaches has consistently increased from £1,860 in 2016 to £3,070 in 2017 and £8,180 in 2018 – even when including breaches that do not result in lost assets or data. This represents an increase of over 400 per cent in just two years.

In instances where breaches do result in a material loss of assets or data, the impacts can be much higher – on average £16,100 for medium sized businesses and £22,300 for large businesses. These costs can include investment in new measures, including tools and technology, to prevent against future attacks and increased staff resource.

The survey found that two thirds (65 per cent) of medium and large businesses have identified and reported at least one breach or attack in the last 12 months.

Breaches were more often identified among organisations that hold personal data or where staff use personal devices for work.

The survey also pointed to a persistent unwillingness for cyber security issues to be addressed within organisations. Only three in ten businesses (30 per cent) said they had board member with specific responsibility for cyber security, and only a fifth of businesses (20 per cent) have had any staff attend internal or external cyber security training in the last 12 months.

Less than three in ten businesses reported that they had a cyber security policy, with even fewer (13 per cent) stating they had a cyber security incident management process in place.

Sheila Pancholi, a technology risk assurance partner at RSM commented:

‘This survey very clearly shows that while the cost of dealing with cyber breaches is growing, there appears to be a persistent degree of complacency when it comes to preventing and responding to cyber-attacks.”