Businesses in the UK are at greater risk of cyber-crime than any other country in the world. According to the UK government's 2015 Information Security Breaches Survey, 74 percent of small businesses and 90 percent of major businesses suffered a cyber-breach last year – up 81 percent on 2014. The financial consequences of such attacks were significant; statistics from the survey show the average cost of the worst single breach for UK companies employing over 500 people starts at £1.46 million. Smaller businesses did not fare much better, with the average cost of a security breach starting at £75,200.
Given that the cost of hacking can range from a minor inconvenience, to reputation damage, loss of customer data and fines, most UK businesses now fully appreciate the potential severity that can arise from a cyber-attack. Yet many still have some way to go when it comes to implementing good risk management – including educating staff on cyber-risks.
Examining the threats
Over half (54 percent) of the IT decision makers participating in the Cyber Skills Gap survey* recently conducted by QA said organised or automated cyber-attack represented the biggest threat to the security of their data systems in the coming year. This was of particular concern for the 58 percent who had already experienced such a security breach in 2015.
Next up was un-targeted attacks, with almost one-in-five (19 percent) respondents worried about the impact of human error; 11 percent were concerned data would be compromised by employees, while eight percent feared employee negligence.
The survey findings also reveal that one-in-ten respondents were worried their organisation could be compromised because employees don't follow, or are not aware of, security policies. Meanwhile, a lack of, or failure to enforce, security policies and procedures was a concern for six percent of respondents, while an additional four percent identified a lack of security training and awareness placed their organisation in a vulnerable position.
Clearly, people represent one of the three key domains of any effective cyber-security strategy. Helping staff understand the part they play in keeping information secure is an essential first step, and educating staff on how to detect and deter common threats like phishing and social engineering can prove invaluable in helping to defend an organisation. When you consider that 80 percent of cyber-attacks could have been prevented through basic security hygiene, it pays to make staff aware of simple measures they need to take and ensure that they are informed on your organisation's security policies and procedures.
Mind the cyber-skills gap
Worryingly, 40 percent of the UK IT decision makers surveyed were concerned they lacked the right balance of cyber-security skills in their organisation to protect it from threats in the coming year.
Seven-out-of-ten respondents (70 percent) confirmed they were looking to hire qualified cyber-security professionals this year, but acknowledged that hiring does not represent a quick fix to the cyber-security challenge; 81 percent say it can take between one and three months to fill a cyber-security professional or skilled role, with a further 13 percent stating that in their experience this process can extend up to six months. With competition for skilled professionals becoming intense, one organisation's gain is highly likely to become another organisation's loss.
In addition, budgets for informantion security technologies appear to be under pressure. Just 27 percent of those surveyed have confirmed plans in place to invest in this technology this year, while 36 percent of IT professionals said they are expecting that their budget for such technologies will be reduced.
In response, IT decision makers confirm they are planning to invest in further training for existing security professionals (45 percent) and cross-skilling or training other IT staff (34 percent). Almost one-third (31 percent) also had employee awareness training and engagement in cyber-security firmly in their sights – a move that indicates a growing awareness within UK organisations that training staff in cyber-awareness represents a cornerstone of corporate security.
It was also significant that around one-in-six (17 percent) IT decision makers say they would approach training organisations for advice, with a further nine percent turning to colleagues to share new skills as an effective form of safeguarding.
Taking a proactive approach
Increasingly, UK organisations are coming to recognise that reliance on technology alone will not solve their security issues. Responsibility for cyber-security extends across the business, and when it comes to limiting the impact of a skills shortage in the IT department the answer is to increase staff awareness of cyber-threats. All companies should be teaching employees a ‘Cyber Security Code' until it becomes second nature. CESG, the National Technical Authority for Information Assurance, has a paper entitled 10 Steps to Cyber-Security, which represents a good starting point for organisations looking to elevate staff awareness on this critical topic.
*Survey conducted in November 2015 by research organisation Opinion Matters amongst a sample of 100 IT decision makers in the UK from organisations with more than 500 employees.
Contributed by Richard Beck, head of cyber-security, QA