Top companies are failing to provide cyber security awareness training to employees, a poll of top UK and UK-based global chief information security offers has revealed.
The real-time anonymous poll, using wireless handsets with instant feedback to participants, was conducted at a gathering of 50 top CISOs at high-tech venue in Knightsbridge, London.
Each of seven verticals had roughly equal representation at the Club CISO event, organised by security consultancy Company85.
The survey showed that just over a fifth of companies represented provide no security awareness training for employees.
This is despite the fact that 38% of participants said they agreed with government advice to provide greater education around cyber security.
“The fact that 21% never provide training is one of the most shocking revelations,” said Phil Cracknell, head of security and privacy services at Company85.
Read more about cyber security awareness
- Many UK firms failing to identify cyber security risks, says Schillings
- Awareness training not enough, says security researcher
- Keep secrets safe with an employee security awareness program
- (ISC)2 expands online security awareness programme to Ireland
- Target to invest $5m in cyber security awareness
- Government launches cyber awareness campaign
- Three ways to raise infosec awareness among non-security executives
- Security awareness training made easy
“Lack of awareness and understanding is the reason that, for many organisations, employees are the biggest risk to data security.”
The poll also revealed that 21% of the organisations represented provided training only once, when employees joined the company.
Only a fifth claimed to provide frequent training as and when required.
“This shows that most companies do not see security awareness training as important enough, even though it is one of the easiest ways to reduce risk of data loss,” said Cracknell.
Attacks change quicker than training
The polls shows that most companies conduct training only once a year, but this is not enough because of the rapid changes in the techniques used by attackers, he said.
Even where organisations are providing training, more than half have no measure of the effectiveness of that training.
“Again this is a shocking statistic, because it means most companies do not have any idea if they are improving or not,” said Cracknell.
Only 10% said they measured incident and support call volumes before and after training sessions, while 14% said they conducted a test after training and 24% said they conducted online testing.
Just over two-thirds of those polled said their organisation had suffered a data loss incident in the past 12 months, but 19% said they were not aware of one and 14% said they had not been hit.
“The results were more or less as expected, but 14% who said they had not suffered any breach was surprising, because no-one can really say categorically that no data has been lost,” said Cracknell.
Of those who were aware of a data breach, 29% said it was the company’s fault, but 24% blamed a third party and 14% said they were not sure who was to blame.
“Nearly a quarter pointing to third parties as being responsible for data breaches highlights the need for organisations to look at ways to manage security in their supply chains,” said Cracknell.
Supply chain hazard
The poll revealed that 63% of participants believed organisations in their supply chain were immature in information security.
Only 16% said their suppliers had some level of maturity, but none felt as though suppliers had achieved complete maturity.
Another surprising finding of the poll is that most participants rated their organisations poorly for data loss prevention from a policy, strategy and solutions perspective.
Using the capability maturity model (CMM) ratings, 40% rated their organisation as being on level 1 and 40% said their organisation was on level 2, where level 1 is the weakest and level 5 the ideal.
“This means 80% of organisations are woefully inadequate in data loss prevention from a policy, strategy and solutions perspective,” said Cracknell.
Organisations also scored poorly in terms of their cyber breach response programmes.
Almost two-fifths rated their organisations as being at level 1 and 29% at level two, with 10% at level 3, 14% at level 4 and only 10% at level 5.
“This means that a mere 34% have some level of maturity in incident response,” said Cracknell.
Incident response plan
Most organisations still fail to understand the importance and benefit of having a plan to follow when things go wrong, he said.
“An incident response plan means all the decisions can be made in advance so everyone knows exactly what to do and how to handle an incident,” said Cracknell.
This approach ensures that the impact of security breaches are kept to the absolute minimum and companies can mitigate damage to their reputation by being ready with things such as statements for the media and holding pages for websites, he said.
“The way an incident is handled can either make an organisation look very good or very bad, but few organisations seem to truly understand this,” said Cracknell.
The poll also revealed that few organisations have achieved any maturity in terms of controls around the use of removable media.
Nearly two-fifths of organisations were rated as being level 1 and 10% at level two.
“This means nearly half of organisations lack any real maturity, which makes it hardly surprising that so many organisations are reporting data losses,” said Cracknell.
A third of organisations were rated at level 3, some 5% are nearing maturity at level 4 and only 14% were rated at level 5.
When it came to meeting legal and regulatory requirements, less than half rated their organisations as having some level of maturity, while 21% rated their organisation at level 1 and 36% at level 2.
Level 3 and 4 were applicable to 16% each, while level 5 was applicable to only 10% of organisations.
“Many organisations are not confident they have got everything covered and surprisingly few have achieved some level of maturity,” said Cracknell.
The poll revealed that most CISOs (42%) report to CIOs, with only 29% reporting to the main board and a further 29% reporting to the CTO.
Of those CISOs polled, none said they reported to the human resources or legal departments, or the CFO.
Many of the CISOs who took part in the live event and a subsequent online anonymous supplement agreed that information security still has some way to go in terms of maturity.
Awareness, cyber breach response and mobile device security are the key and topical areas where more maturity is needed, respondents said.
“The survey shows there is still much variance in where the CISO sits in an organisation and still a majority strongly linked to or reporting in to a technology leader,” said Cracknell.
“But this has to change because we know security is not all about technology, but as long as it reports to such, it will feed off the scraps of the IT budget,” he said.
However, changes in legislation surrounding breach notification may be the catalyst for the next step change in the information security community, said Cracknell.
“Something to jumpstart a new era where the information security function is paid more than lip service,” he said.