Almost a third (31 per cent) of organisations have been affected by cyber-crime in the past 12 months, according to new research from Databarracks. In light of this, the business continuity expert suggests that organisations must look to invest in ongoing cyber awareness training, especially following the government’s proposed fines for firms who fall victim to cyber-attacks.
As part of the Network and Information Systems (NIS) directive, which becomes law across the EU next May and is separate from the General Data Protection Regulation (GDPR), the government has warned that organisations could face fines of up to £17million or 4 per cent of global turnover if they fail to protect against hackers. The crackdown is aimed at making sure essential services such as water, energy, transport and health firms are safeguarded against hacking attempts.
According to the government, the fines will be a last resort and they will not apply to organisations who have put the appropriate safeguards in place but have still suffered a breach. However, findings from Databarracks’ seventh Data Health Check report, which surveyed over 400 IT decision makers in the UK about their IT security and continuity practices, shows:
- 41 per cent of organisations have not invested in any safeguards over the last 12 months;
- Only 34 per cent of organisations have invested in cyber awareness training;
- Only 11 per cent of organisations have certified to a cyber security framework.
Peter Groucutt, managing director at Databarracks, outlines the importance of ongoing cyber awareness training for staff, as well as the need to ensure that firms are continuously communicating risks throughout the business:
“Ongoing cyber awareness training is an integral element in an organisation’s defence against cyber-attacks. However, our research indicates that this has not been a focal point for many organisations over the past 12 months. This is concerning, especially in light of the NIS directive and therefore immediate action is needed to address it.
“Firstly, for organisations who only carry out awareness training once a year – typically as part of an initial employee induction – we’d recommend increasing this to at least twice annually as well as providing employees with frequent security refreshers. The rate of change in cyber-threats means that we all need to constantly adapt our methods of protection. It’s no longer acceptable for cyber awareness training to be a five-minute warning given to new starters, the entire workforce needs to be informed and up to date on new threats.
“Additionally, this approach needs to be supported by the IT department who, when an incident occurs, needs to communicate this to the entire business, providing insight as to why an incident took place, what the implications were and, most importantly, what can be done to prevent this from happening again.
“Protecting your organisation from threats in not just about preventative technology, it’s also about building a culture of information security. An employee’s understanding of security is one of the most important and effective security measures that organisations should be investing in, not least because unwitting employees are often the unknowing accomplice within an attack. While good security habits take time, effort and repetition, it’s better to invest in good practices now than pay the price later,” concludes Peter.