Richard Beck, Head of Cyber Security at QA explores how, with less than one-third of IT decision makers planning to invest in cyber security technologies in 2016, UK businesses are looking to embed user awareness and vigilance at every level of the organisation.
Britain has become a leading target for cyber criminals, with UK businesses now experiencing higher numbers of cyber attacks compared to elsewhere on the planet. According to the UK Government’s 2015 Information Security Breaches survey, last year UK businesses reported an 81 per cent increase in security breaches compared to the previous year. Our recent Corporate Security in 2016 survey of IT decision makers in UK companies with 500 employees or more confirms that battling the rising tide of cyber threats is keeping CIOs, CTOs and CSOs awake at night. And while many have plans to invest in additional security technologies or employ more skilled security professionals in 2016, increasingly it is employees that represent the weakest link in the security chain.
More than eight-out-of-ten (81 per cent) UK IT decision makers we talked to said their organisation had experienced a data or security breach in 2015 and that the resulting consequences were serious. In most cases (66 per cent) this resulted in a breach of data, while almost half of respondents (45 per cent) reported a loss of revenue. Furthermore, 42 per cent said their organisation had had to deal with a PR nightmare as a result of a cyber attack. When it came to identifying the biggest threat to corporate security in 2016, IT decision makers were clear. Organised or automated cyber attacks topped the list for 54 per cent, and was a particular concern for those that had suffered a security breach in 2015 (58 per cent). But, one-fifth went on to state that the second biggest threat they faced in the coming year was hackers gaining access to the company as a result of human error.
All of which explains why IT decision makers expressed a growing concern that corporate colleagues frequently underestimate the impact of not following cyber security procedures. Key issues were that security policies and procedures were not being enforced, and that ordinary end users are frequently kept in the dark when it comes to security awareness and responsibilities. Other concerns included the risk resulting from employee negligence in relation to lost laptops or other mobile devices (8 per cent), and a lack of encrypted data (10 per cent).
Responses to the cyber threat
Once bitten, twice shy appears to be the name of the game when it comes to a data or security breach, with over half (57 per cent) of respondents confirming policies and procedures had been changed as a result. A further 77 per cent went on to say that they would be looking to hire additional qualified cyber security professionals in 2016 to address skills deficits within the IT organisation.
But IT leaders aren’t relying on recruitment alone to plug the skills gap. Almost half (45 per cent) are looking to invest in further training for existing security professionals, and over a third (34 per cent) intend to cross-skill other IT staff in cyber security.
There was also a clear acknowledgement from some IT leaders that while the latest security technologies and top flight professionals will protect core systems, employees remain the weakest link when it comes to securing the enterprise. From opening attachments, to following links from emails, end user behaviours can inadvertently let hackers in through the back door.
But while a third (31 per cent) of the survey respondents said 2016 will see them investing in enabling greater employee awareness and engagement in cyber security, 36 per cent of organisations had no plans to undertake user awareness training in 2016. That’s a concern, when you consider that even back in 2013 industry analysts IDC were reporting that more than 60 per cent of external attacks were targeted at employees via social engineering. And there’s clear evidence that hackers are increasingly looking to access a company’s network via its staff; the Government’s 2015 Information Security Breaches survey reveals that last year there was a noticeable 38 per cent year-on-year increase of unauthorised outsider attacks on large organisations which included activities such as spear phishing attacks and identity theft.
Covering all bases
With the threat landscape escalating, IT leaders confirm that as well as battling with internal inertia and a lack of an appropriate security skills mix within the IT team, cyber security budgets are also under pressure. Although 27 per cent were planning to invest in additional cyber security technologies in 2016, over a third (36 per cent) said that budgets for such technologies will shrink this year. All of which may explain why IT leaders are now focusing on boosting the profile of cyber security at every level of the organisation itself; tightening security protocols, enforcing security policies and procedures; and increasing staff awareness of cyber threats. Indeed, there appears to be a growing recognition that companies should ideally ensure all employees are taught a basic ‘Cyber Security Code’ as a bare minimum. As UK organisations look to pull up the security drawbridge and improve cyber security systems, communication, education and training represents an essential step to changing user behaviours. With threat levels continuing to elevate, ensuring everyone is ‘on side’ with security responsibilities means giving people the skills and knowledge that empower them to become the strongest link in defending the enterprise.
