Britain has become a leading target for cyber criminals, with UK businesses now experiencing higher numbers of cyber attacks compared to elsewhere on the planet. According to the UK Government’s 2015 Information Security Breaches survey, last year UK businesses reported an 81% increase in security breaches compared to the previous year.
Our recent Corporate Security in 2016 survey of IT decision makers in UK companies with 500 employees or more confirms that battling the rising tide of cyber threats is keeping CIOs, CTOs and CSOs awake at night. And while many have plans to invest in additional security technologies or employ more skilled security professionals in 2016, increasingly it is employees that represent the weakest link in the security chain.
Most UK organisations experienced a security breach last year
More than eight-out-of-ten (81%) UK IT decision makers we talked to said their organisation had experienced a data or security breach in 2015 and that the resulting consequences were serious. In most cases (66%) this resulted in a breach of data, while almost half of respondents (45%) reported a loss of revenue. Furthermore, 42% said their organisation had had to deal with a PR nightmare as a result of a cyber attack.
When it came to identifying the biggest threat to corporate security in 2016, IT decision makers were clear. Organised or automated cyber attacks topped the list for 54%, and was a particular concern for those that had suffered a security breach in 2015 (58%). But, one-fifth went on to state that the second biggest threat they faced in the coming year was hackers gaining access to the company as a result of human error.
All of which explains why IT decision makers expressed a growing concern that corporate colleagues frequently underestimate the impact of not following cyber security procedures. Key issues were that security policies and procedures were not being enforced, and that ordinary end users are frequently kept in the dark when it comes to security awareness and responsibilities. Other concerns included the risk resulting from employee negligence in relation to lost laptops or other mobile devices (8%), and a lack of encrypted data (10%).
Responses to the cyber threat
Once bitten, twice shy appears to be the name of the game when it comes to a data or security breach, with over half (57%) of respondents confirming policies and procedures had been changed as a result. A further 77% went on to say that they would be looking to hire additional qualified cyber security professionals in 2016 to address skills deficits within the IT organisation.
But IT leaders aren’t relying on recruitment alone to plug the skills gap. Almost half (45%) are looking to invest in further training for existing security professionals, and over a third (34%) intend to cross-skill other IT staff in cyber security.
There was also a clear acknowledgement from some IT leaders that while the latest security technologies and top flight professionals will protect core systems, employees remain the weakest link when it comes to securing the enterprise. From opening attachments, to following links from emails, end user behaviours can inadvertently let hackers in through the back door.
But while a third (31%) of the survey respondents said 2016 will see them investing in enabling greater employee awareness and engagement in cyber security, 36% of organisations had no plans to undertake user awareness training in 2016.
That’s a concern, when you consider that even back in 2013 industry analysts IDC were reporting that more than 60% of external attacks were targeted at employees via social engineering. And there’s clear evidence that hackers are increasingly looking to access a company’s network via its staff; the Government’s 2015 Information Security Breaches survey reveals that last year there was a noticeable 38% year-on-year increase of unauthorised outsider attacks on large organisations which included activities such as spear phishing attacks and identity theft.
Covering all bases
With the threat landscape escalating, IT leaders confirm that as well as battling with internal inertia and a lack of an appropriate security skills mix within the IT team, cyber security budgets are also under pressure. Although 27% were planning to invest in additional cyber security technologies in 2016, over a third (36%) said that budgets for such technologies will shrink this year.
All of which may explain why IT leaders are now focusing on boosting the profile of cyber security at every level of the organisation itself; tightening security protocols, enforcing security policies and procedures; and increasing staff awareness of cyber threats.
Indeed, there appears to be a growing recognition that companies should ideally ensure all employees are taught a basic ‘Cyber Security Code’ as a bare minimum. As UK organisations look to pull up the security drawbridge and improve cyber security systems, communication, education and training represents an essential step to changing user behaviours. With threat levels continuing to elevate, ensuring everyone is ‘on side’ with security responsibilities means giving people the skills and knowledge that empower them to become the strongest link in defending the enterprise.
By Richard Beck, Head of Cyber Security at QA