UK organisations are putting their reputation, customer trust and competitive advantage at greater risk by failing to provide their staff with effective cyber-security awareness and ability to defend against cyber-attacks, according to a new report.
The research carried out by Axelos, a UK government/Capita joint venture, found that 75 percent of large organisations suffered staff-related security breaches in 2015, with 50 percent of the worst breaches caused by human error.
The research showed that only a minority of executives responsible for information security training in organisations with more than 500 employees believe their cyber-security training is “very effective”. While four in ten (42 percent) say their training is “very effective” at providing general awareness of information security risks, only just over a quarter (28 percent) say their efforts are “very effective” at changing behaviour in relation to information security.
For ensuring compliance with regulatory requirements, 37 percent rate their training as very effective though only a third (33 percent) rate it very effective in reducing exposure to the risk of information security breaches. A similar minority (32 percent) are “very confident” that the training is relevant to staff, despite almost all respondents (99 percent) citing security awareness as important to minimise the risk of security breaches.
When asked how many staff had completed their information security awareness programme, respondents in a quarter of organisations said that no more than 50 percent of staff had done so.
Nick Wilding, head of cyber-resilience best practice at Axelos, said: “Despite organisations continuing to invest heavily in technology to better protect their precious information and systems, the number and scale of attacks continues to rise as they discover there is no ‘silver bullet' to help them achieve their desired level of cyber-security.
“And they often underestimate that the role that their own employees – from the boardroom to the front line – can play: staff should be their most effective security control but are typically one of their greatest vulnerabilities.”
He added that although two percent of organisations are very confident about the relevance of the training they provide, there are nearly two-thirds (62 percent) that are only ‘fairly confident'.
“Cyber-attacks are now business as usual and the resulting financial and reputational damage can be significant. As a result, organisations need to be more certain that they are engaging their people effectively to better equip them to manage the cyber and information security risks they now all face,” he said.
Richard Walters, senior vice president of Security Products at Intermedia, told SCMagazineUK.com that employees are a company's first line of defence but they also need to be aware of the security threats out there in order to avoid them.
“Staff training should be constantly refreshed to ensure it stays in line with evolving threats. Equally, companies need to stay on top of the game themselves and implement dynamic security policies that evolve in step with technological advancements. This approach will give employees clear guidance on what they should and shouldn't be doing,” he said.
Paul Trulove, vice president of product management at SailPoint, told SC that without a clear understanding of how your employees work or access data, organisations run the risk of inadvertently opening their doors to a data breach.
“Whether intentional or not, people are the cause of a large portion of breaches. Criminals are using social engineering to greater effect – phishing emails and other means through which people mistakenly release information are one of the greatest threats to companies today. As hackers advance their strategies, an essential part of security must be on educating individuals on the types of attacks they are likely to encounter,” he said.