Lack of security awareness poses a major threat to businesses

A cyber security awareness deficit amongst employees poses a major threat to UK organisations, according to a new study.

Businesses are severely underestimating the “human factor” of employee behaviour in corporate cyber risk, according to research from Axelos, a joint venture between the UK government and Capita.

As a result of failing to provide effective cyber security awareness training, UK organisations are putting their ‘reputation, customer trust and competitive advantage’ at risk, the report said.

The research found that only a handful of executives responsible for information security training in enterprise organisations (500+ employees) think that their cyber security training is “very effective”.

While many organisations felt they were doing a good job at spreading the message, very few felt that the training actually led to behavioural changes. Nearly half (42%) of the executives said that their training was ‘very effective’ at providing general awareness of security risks; however, just over a quarter (28%) said their efforts were equally effective at changing behaviour.

When it came to regulatory requirements, 37% rated their training as very effective, while only a third (33%) rated it very effective in reducing exposure to the risk of breaches. Only 32% were “very confident” that the training was relevant to employees.

“Despite organisations continuing to invest heavily in technology to better protect their precious information and systems, the number and scale of attacks continues to rise as they discover there is no ‘silver bullet’ to help them achieve their desired level of cyber security,” said Nick Wilding, head of cyber resilience best practice at Axelos.

“Though 32% of organisations are very confident about the relevance of the training they provide, there are nearly two-thirds (62%) that are only ‘fairly confident’.”

“Imagine how customers would respond if told that ‘we’re fairly confident that your precious information is safe from attack’.”

The research points to clear opportunities for VARs.

Mike Rothman, president and principal analyst of Security Incite, told Scope’s US sister publication SearchITChannel that VARs were ideally placed to address the shortcomings of internal training.

“As a value-added reseller (VAR), you're already in the training business,” Rothman said. “You train security professionals on the products you sell, and on other basic or advanced security skills. You already have training facilities, and you likely have access to content. You are 90% of the way there already.”

The analyst believes that the final 10% is about the change mindset required to train end users.

“Training end users is a bit different than teaching an administrator to configure their PIX. End users can be technologically unsophisticated, may have trouble understanding security and, in many cases, may not feel that your training is a good use of their time.”