A survey* conducted by training company QA, reveals that eight out of ten (81%) UK IT decision makers experienced some sort of data or cyber security breach in their organisation in 2015. 66 per cent said that the breach had led to a loss of data, 45 per cent said that it had resulted in a loss of revenue, and 42 per cent said that it had resulted in a PR nightmare for the business. Despite this, however, less than a third (27%) plan to invest in cyber security technologies next year.
It would also appear that not all organisations have learnt from their experience, with lessthan half (43%)of IT decision makers saying that the breach had not resulted in a change of policyand procedure. Perhaps it’s not surprising that 40 per cent said they didn’t feel confident they had the right balance of cyber security skills in their organisation to protect it from threats in 2016.
The Biggest Threats to Corporate Security in 2016
- Organised/automated cyber attack (54%)
- Compromise through employees e.g. social engineering(11%)
- Lack of encrypted data (10%)
- Employee negligence e.g. lost laptops or other mobile devices (8%)
- Not having or enforcing security policies and procedures (6%)
Human error is the second largest concern (19%) for IT decision makers, with both ‘compromise through employees’ and ‘employee negligence’ both featuring in the top five threats.
Richard Beck, Head of Cyber Security at QA, said: “One way that organisations can try and limit the impact of a skills shortage in the IT department is to increase staff awareness of cyber threats. With a fifth of those surveyed acknowledging that the biggest threat to security next year is likely to be human error, educating staff on how to detect and deter common threats like social engineering or phishing attacks could prove invaluable in helping defend an organisation.
“The research shows that currently only31per cent of organisations plan to invest in employee awareness and engagement training. However, all companies should be teaching employees a ‘Cyber Security Code’ until it becomes instinctive. CESG, The National Technical Authority for Information Assurance, has a paper entitled ‘10 steps to cyber security’ which is a really good place to start for this.”
Key Areas for Investment in 2016 – Skills rather than Technology
When asked about key areas for investment to protect the organisation from cyber threats in 2016, over two thirds (70%) of IT decision makers said they plan to invest in hiring qualified cyber security professionals in the coming year. 78 per cent said that they also expected budgets for hiring to increase next year. However, hiring isn’t a quick and easy solution. Over eight out of ten (84%) respondents said that it took on average up to three months to fill a cyber security skilled role on their team. To help address this, 45 per cent say they plan to invest in further training for existing cyber security staff and 34 per cent of IT decision makers said they planned to cross-skill/train other IT staff in cyber security specialisms.
Richard Beck, went on to say: “It’s really interesting to compare and contrast some of these findings. 70 per cent of those interviewed said they planned to invest in hiringcyber security skilled professionals in 2016. However, where will these skilled professionals come from? Everyone is struggling to fill cyber security posts on their team and one organisation’s gain will become another organisation’s loss.
“It’s encouraging however to see that there is a growing acknowledgement that by training and cross-skilling existing specialist staff, companies can begin to address the skills gap. The key to making this approach work will be engaging the HR department to work alongside IT to develop strong staff retention strategies. Those companies that motivate and reward their staff appropriately are far more likely to hold on to their cyber professionals once they’ve invested in training them. Perhaps it is time security professionals shared some of the skills gap responsibility with their colleagues in HR?”
Where businesses turn for advice?
When asked which organisations they would go to for advice on increasing capabilities around cyber security, the findings show respondents would predominantly turn to the IT sector. An overwhelming 92 per cent said they would turn to their IT/technology services partner and almost half (45%) would seek advice from IT vendors.
Top 10 places for advice on increasing capabilities around cyber security:
- IT/technology services partner (92%)
- IT vendors (45%)
- Security consultant/consultancy (25%)
- Government bodies (20%)
- Training organisations (17%)
- The Information Commissioner (ICO) (16%)
- Accrediting body (14%)
- Peers (14%)
- Trade & Industry associations (14%)
- Colleagues (9%)
Richard Beck concluded, “It would appear that those responsible for the security of organisations are putting the onus on the technology industry to solve their security issues. However, this is only one part of the picture when looking to negate the security risk to businesses.
A large majority of high profile breaches, comprise a mix of technological know-how and human error.
“It doesn’t matter how robust your technology is, you still face an element of risk. Pretty much every organisation I can think of is cyber-dependent to some degree. A holistic approach to security risk should ensure staff are educated against ever increasing cyber threats. Responsibility for keeping an organisation’s data safe reaches into every corner of every business.”
*Survey conducted in October and November 2015 by research organisation Opinion Matters amongst a sample of 100 IT Decision Makers in the UK from organisations with 500 employees or more.