A survey by a training company suggests that eight out of ten (81 per cent) UK IT decision makers experienced some sort of data or cyber security breach in their organisation in 2015.
Two thirds, 66 per cent said that the breach had led to a loss of data, 45 per cent said that it had resulted in a loss of revenue, and 42 per cent said that it had resulted in a PR nightmare for the business. Despite this, however, less than a third (27 per cent) plan to invest in cyber security technologies next year.
It would also appear that not all organisations have learnt from their experience, with fewer than half (43 per cent)of IT decision makers saying that the breach had not resulted in a change of policy and procedure. Perhaps it’s not surprising that 40 per cent said they didn’t feel confident they had the right balance of cyber security skills in their organisation to protect it from threats in 2016.
Threats
1. Organised/automated cyber attack (54 per cent)
2. Compromise through employees eg. social engineering(11 per cent)
3. Lack of encrypted data (10 per cent)
4. Employee negligence e.g. lost laptops or other mobile devices (8 per cent)
5. Not having or enforcing security policies and procedures (6 per cent)
Human error is the second largest concern (19 per cent) for IT decision makers, with both ‘compromise through employees’ and ‘employee negligence’ both featuring in the top five threats.
Richard Beck, Head of Cyber Security at QA, said: “One way that organisations can try and limit the impact of a skills shortage in the IT department is to increase staff awareness of cyber threats. With a fifth of those surveyed acknowledging that the biggest threat to security next year is likely to be human error, educating staff on how to detect and deter common threats like social engineering or phishing attacks could prove invaluable in helping defend an organisation.
“The research shows that currently only31per cent of organisations plan to invest in employee awareness and engagement training. However, all companies should be teaching employees a ‘Cyber Security Code’ until it becomes instinctive. CESG, The National Technical Authority for Information Assurance, has a paper entitled ‘10 steps to cyber security’ which is a really good place to start for this.”
Areas for investment
When asked about key areas for investment to protect the organisation from cyber threats in 2016, over two thirds (70 per cent) of IT decision makers said they plan to invest in hiring qualified cyber security professionals in the coming year. 78 per cent said that they also expected budgets for hiring to increase next year. However, hiring isn’t a quick and easy solution. Over eight out of ten (84 per cent) respondents said that it took on average up to three months to fill a cyber security skilled role on their team. To help address this, 45 per cent say they plan to invest in further training for existing cyber security staff and 34 per cent of IT decision makers said they planned to cross-skill/train other IT staff in cyber security specialisms.
Richard Beck, said: “It’s really interesting to compare and contrast some of these findings. 70 per cent of those interviewed said they planned to invest in hiringcyber security skilled professionals in 2016. However, where will these skilled professionals come from? Everyone is struggling to fill cyber security posts on their team and one organisation’s gain will become another organisation’s loss.
“It’s encouraging however to see that there is a growing acknowledgement that by training and cross-skilling existing specialist staff, companies can begin to address the skills gap. The key to making this approach work will be engaging the HR department to work alongside IT to develop strong staff retention strategies. Those companies that motivate and reward their staff appropriately are far more likely to hold on to their cyber professionals once they’ve invested in training them. Perhaps it is time security professionals shared some of the skills gap responsibility with their colleagues in HR?”
Where businesses turn for advice?
When asked which organisations they would go to for advice on increasing capabilities around cyber security, the findings show respondents would predominantly turn to the IT sector. An overwhelming 92 per cent said they would turn to their IT/technology services partner and almost half (45 per cent) would seek advice from IT vendors.
Places for advice on increasing capabilities around cyber security:
1. IT/technology services partner (92 per cent)
2. IT vendors (45 per cent)
3. Security consultant/consultancy (25 per cent)
4. Government bodies (20 per cent)
5. Training organisations (17 per cent)
6. The Information Commissioner (ICO) (16 per cent)
7. Accrediting body (14 per cent)
8. Peers (14 per cent)
9. Trade and Industry associations (14 per cent)
10. Colleagues (9 per cent)
Richard Beck concluded, “It would appear that those responsible for the security of organisations are putting the onus on the technology industry to solve their security issues. However, this is only one part of the picture when looking to negate the security risk to businesses.”
Most high profile breaches, comprise a mix of technological know-how and human error, the firm adds.
“It doesn’t matter how robust your technology is, you still face an element of risk. Pretty much every organisation I can think of is cyber-dependent to some degree. A holistic approach to security risk should ensure staff are educated against ever increasing cyber threats. Responsibility for keeping an organisation’s data safe reaches into every corner of every business.”
About the survey
Conducted in October and November 2015 by research organisation Opinion Matters among a sample of 100 IT decision-makers in the UK from organisations with 500 employees or more.
