The assault by cybercriminals against big businesses continued this year – 93% of big companies suffered a data breach in 2012, and 78% were attacked by outsiders, according to a report by Price Waterhouse Cooper. But small businesses – those with less than 50 employees – are rapidly becoming a target, with attacks by outsiders doubling in one year.
Overall, the cost to British business has tripled in the past year, the report said – with large businesses facing attack every few days, and smaller businesses every few weeks.
“Small businesses used not to be a target, but are now also reporting increasing attacks,” the British report warned, saying that breaches suffered by small businesses had increased nearly by half. This year, 63% of small businesses suffered a security breach – last year, that figure was 41%.
The report, commissioned in partnership with the British government’s Department for Business, Innovation and Skills, based on a survey of 1,400 people, found that attacks by outsiders against small businesses had more than doubled – up to 15% from 7% a year ago.
“Outsider attacks also increased substantially, especially against small businesses,” the report said. “ Large organizations still bear the brunt of attacks, with the average company having a serious attack every few days. But, small businesses are rapidly becoming a target too, on average suffering a serious attack once every six weeks.”
The IB Times reported that the sheer number of breaches meant that security spending was rising steadily – to what PWC described as “the highest level ever recorded in this survey.” Companies now spend 10% of their IT budget on security, according to the report.
“Overall, the survey results show that companies are struggling to keep up with security threats, and so find it hard to take the right actions. The right tone from the top is vital – where senior management are briefed frequently on the potential security risks, security defences tend to be stronger.”
ESET Senior Research Fellow David Harley says, “I doubt if there’s any business that hasn’t experienced some sort of breach (which may or may not have been noticed). But some kinds of attack probably work better against small businesses (which don’t usually have dedicated security staff).”
PWC also observed that larger businesses tended to be better at ‘vetting’ third-party companies such as suppliers, saying, “Large organisations are generally more diligent at ensuring third parties have adequate security. For example, they are three times as likely as small businesses to obtain audit rights and twice as likely to carryout penetration testing.”
Many breaches still occur due to staff error – 36% of the year’s worst breaches were due to “human error”, PWC say, and a further 10% due to deliberate misuse of systems.
“There’s a clear payback from investing in staff training. 93% ofcompanies where the security policy was poorly understood had staff-related breaches versus 47% where the policy was well understood,” PWC says.
ESET’s Stephen Cobb explores many of these issues – and some of the pitfalls facing smaller businesses – in a We Live Security post entitled, “Why your small business needs an information security policy.”
Author Rob Waugh, We Live Security