"GCHQ themselves have recently said that nine out of 10 major businesses in the UK have been attacked over the course of the last year."
Dido Harding, Chief Executive of TalkTalk Group, Radio 4 Today, 11 November 2015
A survey of businesses conducted for the government by PWC earlier this year claimed nearly nine out of 10 large businesses said they had suffered some form of information security breach in the last year. This research was done on behalf of the Department for Business, Innovation and Skills, but has been referred to by the intelligence organisation GCHQ.
There's a lot of uncertainty in this figure, which means in reality we have no idea what proportion of large businesses across the UK have experienced a breach.
PWC told us the survey was designed to look at trends in cyber breaches over time rather than to offer a figure for the frequency of cyber-attacks for all major businesses at any one point in time.
Respondents who took part in the survey were those who chose to take part, rather than being selected as a representative sample of all businesses across the UK—companies suffering from data breaches may be either more or less inclined to take part.
Self-selecting sample and excludes some responses
PWC told us the nine out of 10 figure was compiled from answers to a variety of questions, rather than respondents being asked if they had or hadn't experienced a cyber-breach in the last year.
It's also not specifically measuring just attacks on companies to access data—it encompasses accidental data leaks by staff too, as well as other security breaches. A figure of 76% is given for large companies reporting having experienced attacks by an unauthorised outsider, although this can't be relied upon either.
The report makes clear that its findings exclude respondents who either didn't answer the question, said they didn't know, or who said it wasn't applicable to them. We haven't been given the workings, so it's not clear how many respondents were excluded from this overall figure, but PWC said this shouldn't make a major difference to the figure.
What does affect the figure and its findings, it said, is that it's a self-selecting sample and that businesses may be hesitant to discuss breaches that have occurred. This makes any attempt to work out the frequency of cyber breaches, or more specifically as in TalkTalk's case, targeted data hacks, very difficult to estimate.
As a result, the survey explicitly states
"extrapolation to the wider population should be treated with caution".
This point is not obvious from the publicity of the survey.