Interviews

Beware human factor

by Mark Rowe

Most UK employers are underestimating the “human factor” of staff behaviour in corporate cyber risk. That is among the findings from a study by AXELOS, a UK Government joint venture with the private firm Capita.

The research showed that only a minority of executives responsible for information security training in organisations with more than 500 employees believe their cyber security training is “very effective”. While four in 10 (42 per cent) say their training is “very effective” at providing general awareness of information security risks, only just over a quarter (28 per cent) say their efforts are “very effective” at changing behaviour in relation to information security.

For ensuring compliance with regulatory requirements, 37 per cent rate their training as very effective though only a third (33 per cent) rate it very effective in reducing exposure to the risk of information security breaches. A similar minority (32 per cent) are “very confident” that the training is relevant to staff, despite almost all respondents (99 per cent) citing security awareness as important to minimise the risk of security breaches.
When asked how many staff had completed their information security awareness programme, respondents in a quarter of organisations said that no more than half of staff had done so.

Nick Wilding, head of cyber resilience best practice at AXELOS, said: “Despite organizations continuing to invest heavily in technology to better protect their precious information and systems, the number and scale of attacks continues to rise as they discover there is no ‘silver bullet’ to help them achieve their desired level of cyber security. And they often underestimate that the role that their own employees – from the boardroom to the frontline – can play: staff should be their most effective security control but are typically one of their greatest vulnerabilities.”

While praising UK organisations for acknowledging the importance of information security awareness learning, Wilding warned that current training and awareness approaches often aren’t effective. He said: “Though 32 per cent of organizations are very confident about the relevance of the training they provide, there are nearly two-thirds (62 per cent) that are only ‘fairly confident’. Cyber-attacks are now business as usual and the resulting financial and reputational damage can be significant. As a result, organizations need to be more certain that they are engaging their people effectively to better equip them to manage the cyber and information security risks they now all face.

“Imagine how customers would respond if told that ‘we’re fairly confident that your precious information is safe from attack’. Equally, reporting to a board of directors that the level of confidence in the organisation’s information security awareness is only “fair” would be given short shrift. If UK company boards are not asking those responsible about the current effectiveness of their awareness learning among their people and what is being done to improve their cyber resilience, then they should be.”

AXELOS has produced an eight page downloadable guide for directors and managers responsible for information awareness learning and associated staff training to evaluate their approach – visit https://www.axelos.com/Corporate/media/Files/cyber-awareness.pdf.

About AXELOS

It’s a joint venture between Capita and the Cabinet Office, launched in January 2014, to promote best management practice.

Comment

Ross Brewer, VP and MD of EMEA, LogRhythm said: “There is an incredibly high number of security incidents that are caused by, or involve, human error. No person or organisation is infallible and employees will always be a weak link in an organisation’s security chain. A common problem is that organisations can think it’s important to only educate those at the top of the management tree, but this is a dangerous approach. Indeed, we are increasingly hearing stories of cybercriminals looking for a gateway to the network by targeting employees lower down the ladder, quite often via spear phishing. The fact is, every employee who has access to the corporate network is a target, and with hackers using increasingly devious techniques, it only takes one download or one click of the mouse for someone to put the entire company at risk.

“Organisations must have a solid training scheme in place that regularly educates all of their employees on how to identify and avoid potential threats. This needs to include the basics, such as using hard to guess passwords or different log-in details for multiple accounts. These rules may seem obvious, but it’s surprising how many companies have fallen victim because they haven’t been followed.

“Hackers are increasingly targeting individuals as opposed to organisations, because they know they can tap into a weakness that can never be patched. It’s therefore more important than ever that businesses put additional tools in place that can identify these vulnerabilities as soon as they are exploited. Organisations are only ever one infected email away from a breach – and without education as the first line of defence, and security intelligence as the second, hackers will find it increasingly easy to gain access to corporate data.”

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing