The current threat landscape being faced by UK organisations is constantly evolving and maturing, with cyber incidents becoming one of the biggest causes of major recovery today. Databarracks latest Data Health Check report, a survey of over 350 UK IT decision makers, shows that just a third of respondents were unscathed by an attack in the last 12 months. An IT skills deficit, compounded with employees continuously flouting company security procedures, only exacerbates these risks further.
In today's highly sensitive security environment, a salient element in mitigating risk is having the relevant skills in place. However, Databarracks' recent findings show a worrying cyber-security skills shortage. Nearly half (47 percent) of organisations do not believe they have sufficient skills in-house to deal with the current threat landscape. Of that number, 32 percent are actively trying to improve the level of skills within their internal IT team.
Sadly these findings are not completely surprising – last year the British government added cyber-security to the UK skills shortage register. As the skills and tools used by hackers grow in sophistication, and the risk against UK businesses continues to grow, demand for in-house cyber-security skills will only rise, with increased competition amongst employers who seek to secure the most in-demand skills.
Disregard for security policies
One of the biggest hurdles in administering good security practices comes from within the organisation itself. Sixty one percent of organisations believe their employees are flouting security policies at least once a month, with nearly a third (28 percent) saying that it's daily or more. IT managers clearly lack confidence in their employees' commitment to security plans. And, if they are right in their assumptions, this leaves businesses seriously exposed to cyber-threats, as well as other more traditional risks such as social engineering.
It's clear that there's is a blind ignorance to security in the sense that people simply don't realise the consequences of their actions. It's unlikely that employees who ignore security policies do so to purposely threaten the business; they either feel too restricted by the policies that are in place or they are unaware of the consequences of their actions.
Adding to the problem, many IT departments handle incidents in the background with only key senior individuals being informed. Unfortunately, if risks aren't communicated internally to the entire business, then employees are likely to carry on making the same mistakes. No amount of investment in cyber security policies can make up for poor employee habits; so IT managers need to address this issue if they are to secure their organisation from malicious threats. Awareness training should be a part of every new employee's induction process, with annual refresher training carried out for every member of staff.
Ultimately, a more open dialogue between the IT department and the rest of the business is required. IT managers need to identify security processes that are too restrictive or unintuitive and work towards improving their employees' experience with them. Security is not just a box ticking exercise anymore; it's a concern for everyone in the business.
Reassuringly, a third of respondents admitted that they had reviewed their cyber-security policies this year and made changes following an attack. What's more, in the last 12 months over half of respondents have invested in new safeguards to protect specifically against cyber-threats. Ongoing cyber-awareness training, cyber-threat monitoring software, and official cyber-security policies were the most common cyber-security investments organisations made in the last year.
Although it's encouraging that the number of people looking to improve their security policies is increasing each year, the next step is for more organisations to start adopting an increasingly proactive approach. It's better to invest in sound defensive policies now than pay the price later.
Contributed by Oscar Arean, technical operations manager, Databarracks