kantver - Fotolia
A lack of cyber security awareness among employees is putting UK organisations at greater risk, a study has revealed.
UK organisations are putting their reputation, customer trust and competitive advantage at greater risk by failing to provide staff with effective cyber security awareness and capability to defend against cyber attacks, according to the study commissioned by Axelos, a UK government joint venture with outsourcing firm Capita.
Axelos was set up in July 2013 to develop, enhance and promote a number of best practice methodologies in project, programme and portfolio management, IT service management and cyber resilience.
The research shows that most UK organisations are underestimating the “human factor” of employee behaviour in corporate cyber risk.
The research report said this finding is a cause for concern, especially since 75% of large organisations and nearly a third of small organisations suffered staff-related security breaches in 2015, with 50% of the worst breaches caused by human error, according to the UK government’s 2015 information security breaches survey.
The Axelos study shows only a minority of executives responsible for information security training in organisations with more than 500 employees believe their cyber security training is “very effective”. Four in 10 say their training is “very effective” at providing general awareness of information security risks, while just over a quarter say their efforts are “very effective” at changing behaviour in relation to information security.
For ensuring compliance with regulatory requirements, 37% rate their training as very effective, but only 33% rate it very effective in reducing exposure to the risk of information security breaches. Only 32% are “very confident” that the training is relevant to staff, despite almost all respondents (99%) citing security awareness as important to minimise the risk of security breaches.
Staff’s security role is ‘underestimated’
When asked how many staff had completed their information security awareness programme, respondents in a quarter of organisations said that no more than 50% of staff had done so.
Nick Wilding, head of cyber resilience best practice at Axelos, said: “Despite organisations continuing to invest heavily in technology to better protect their precious information and systems, the number and scale of attacks continues to rise as they discover there is no silver bullet to help achieve their desired level of cyber security.
“They often underestimate the role their employees – from the boardroom to the frontline – can play. Staff should be the most effective at security control, but are typically one of the greatest vulnerabilities.”
Awareness training must improve
While praising UK organisations for acknowledging the importance of information security awareness learning, Wilding warned that current training and awareness approaches often are not effective.
“Although 32% of organisations are ‘very confident’ about the relevance of the training they provide, there are nearly two-thirds (62%) that are only ‘fairly confident’,” said Wilding.
“Cyber attacks are now business as usual and the resulting financial and reputational damage can be significant. Organisations need to be more certain that they engage their people effectively to better equip them to manage the cyber and information security risks they now all face.
“Imagine how customers would respond if told that ‘we’re fairly confident that your precious information is safe from attack’. Equally, reporting to a board of directors that the level of confidence in the organisation’s information security awareness is only “fair” would be given short shrift.
“If UK company boards are not asking those responsible about the current effectiveness of their awareness learning among their people and what is being done to improve their cyber resilience, then they should be.”
Tools and resources
According to Wilding, Axelos’s Resilia cyber resilience best practice portfolio includes certified training, awareness learning for all staff, leadership insight and a maturity assessment tool.
“The awareness learning programme for all staff helps to fill critical knowledge and skills gaps, enabling employees to make the right decisions at the right time about information security,” he said.
Axelos has produced a downloadable guide to help directors and managers responsible for information awareness learning and associated staff training to evaluate the effectiveness of their current approaches. This guide will also highlight potential improvements to managing improved cyber resilient behaviours.
Read more about cyber security
- Cyber security training for chief executives is critical to the cyber resilience of the companies they head, according to global certification and accreditation organisation APMG
- Cyber attacks constitute a group-level risk that is managed as part of BP’s standard set of risk management processes, says group chief.
- Security risk management and investment needs buy-in from top management, says Sharvind Appiah, CISO at transport and logistics firm Geodis.
- Many FTSE 350 firms still have a long way to go to manage the risks of a cyber attack, a government-backed cyber governance health check reveals.