Many UK firms failing to identify cyber security risks, says Schillings

Many UK businesses are still failing to identify their true cyber security risks, says risk consulting, law and cyber security firm, Schillings

Many UK businesses skip basic steps needed to protect data assets from cyber attacks, says security firm Schillings.

“We are seeing companies struggle to identify significant, credible cyber threats that relate directly to them, such as data breaches and phishing campaigns,” said David Prince, delivery director of cyber security at Schillings.

He believes it is critical for organisations to understand the specific threats they face using threat modelling, but few are doing so because they do not understand the impact of data loss.

“Consequently they are not proportioning security controls properly, spending most of their security budget on the network perimeter instead of identifying true risks,” Prince told Computer Weekly.

He expects this to change as the impact of data breaches becomes clearer through high-profile incidents, such as the data breach at US retailer Target.

Prince said Schillings often finds firms have not completed the initial steps to understand risks that affect their core business.

“In many cases that is the people, but few UK companies are implementing effective security training for employees, and this continues to be an issue,” said Prince.

“A company can have the biggest security budget in the world, but that will not necessarily stop a person leaking data,” he said.

Data loss

Schillings is finding that even larger UK businesses are doing little to minimise that risk through awareness training.

A recent survey of top UK and UK-based global chief information security officers by security consultancy Company85 revealed that employees at 21% of firms polled never receive security awareness training.

Another 21% said employees received security training only once upon joining.

“But often there is a difference in perception by the CEO, who believes everything is covered, and the CISO, who knows otherwise,” said Prince.

The other common failing is that, even where some awareness training is being done, context is missing.

“Companies may be sourcing policies and posters online that they can use, but they are running events that have no context or anything that is relevant to their business and their staff,” said Prince.

“Training programmes should be tailored to a particular workforce and should not just focus on the IT environment, but should also cover relevant data protection laws,” he said.

Read more on cyber security basics

Effective practice

To keep employees on their toes, Schillings regularly sends them phishing emails to test how effective they are at identifying the threat and responding to it, and has metrics to plot progress over the past few years.

The company also runs regular data-breach scenarios to test the performance of all those in the organisation who have roles to play in the incident response plan.

“We run these exercises for clients because they are extremely useful in understanding and mitigating risk as well as limiting the media fallout caused by security breaches,” said Prince.

The outcome of the phishing attack exercises is communicated back to staff and incorporated into future awareness training programmes. It is also used to identify ways of giving better support to employees.

“It is important that there is no finger pointing and that feedback is given in a positive way to ensure the organisation improves performance without alienating anyone,” said Prince.

Schillings does not have any rigid awareness training schedule, but closely monitors events in the cyber security world. It also conducts sessions around any new developments that employees should be aware of.

The company makes use of weekly general briefing sessions to highlight information security issues as and when they arise based on cyber threat intelligence gathering activities.

“Security awareness should be intelligence led rather than being a tick-box exercise,” said Prince. “It can also provide vital frontline feedback on how security is handled and perceived within the organisation.”

Another common failing in UK businesses, he said, is that they do not truly understand the value of the data they hold and why they may be the target of a cyber attack.

This is increasingly a problem as traditional boundaries are blurring with the use of employee-owned devices for work and consumer services such as webmail.

“Data is going everywhere, which is not necessarily a bad thing, as long as organisations understand what data that is, why it may be valuable, and what regulatory constraints are attached so they can apply the right controls at the right time,” said Prince.

“If an organisation truly understands its information it can successfully take on things like cloud computing and bring your own device,” he said.

Finally, Prince said, a common failing is that information security teams are often small and isolated, with the result that any information they are feeding into the business tends to be limited in scope.

“An effective security team needs strong relations with risk and law – and if the security outfit as a whole incorporates legal services, the risk consulting team and the cyber security team, then the board of directors, the CEO and the audit committee all have the right visibility of the business and the most accurate information for making decisions.

The most important thing for organisations to be aware of is that cyber attackers will target any information of value, said Prince.

“Organisations need to identify what they have that is of value and protect it accordingly because any data breach could lead to long-lasting reputational damage and a loss in business confidence, he said.

Through combining legal, risk and cyber security expertise, Schillings specialises in reputation defence.

David Prince is taking part in a panel discussion on new and emerging challenges facing IT security teams to keep corporate data secure at the CW500 Security Club on 4 June. The discussion will focus on how to meet the key security challenge presented by the increased use of smart devices by employees to access web services for work purposes.

Read more on IT risk management