Not sure I agree with your headline John
Putting to one side the argument about how accurate the loss estimation is (and that the true rate of breachs will be higher as this is just the detected figure), a key figure from this presentation was that total loss to UK Biz was estimated at £5-£10 billion, however this also needs to be set against a total UK spend on IT Security for around £5 Billion.
do you really think we'd eliminate incidents if the whole of the UK doubled their security spend? We'd sure as hell cut the rate, but I'd be quite suprised if it made even a 50% difference to the overall rate of incidents.
Therefore on a simple cost vs benefit basis UK Biz is now probably spending more or less the right amount for the current threat level
The issues at present therefore are:
a) is the money being spent on the right things
b) are the right incentives in place for companies to get it right (e.g. who ultimately bears the costs for identity theft?)
c) do businesses have any meaningful way to assess the value of what they have spent (this again was something that the PWC guys drew attention to).
So, spend more - probably not, but we do need to spend better.