Cyber security depends on every employee, House of Lords committee told

A cyber security expert has told a House of Lords committee security awareness of company employees is critical

The Institution of Engineering and Technology (IET) has told a House of Lords committee a basic understanding of cyber security among all company employees is critical.

Relying on a few cyber security professionals cannot provide the level of reassurance and safety required, according to IET cyber security lead Hugh Boyes.

In giving evidence to the House of Lords Digital Skills Committee, he emphasised the need for continuing professional and personal development on the subject of cyber security.

“With the increasing use of computer-based and digital technologies in all aspects of our lives, engineers and technicians need to have a general understanding of cyber security principles.

“This is essential if we are to improve the security and resilience of our systems,” he said.

According to Boyes, most companies require all their staff to complete basic health and safety training and promote a workplace safety culture.

“Cyber security should be approached in a similar way. It is the responsibility of anyone using computer-based and digital technologies and cannot be left to a relatively small number of specialists,” he said.

The Digital Skills Committee was set up in June 2014 to consider information and communications technology, competitiveness and skills in the UK, and make recommendations.

As part of its investigation into these areas, the committee heard evidence from cyber security experts and representatives from regional digital hubs, such as London’s Tech City UK.

Few companies implementing security training

Earlier in 2014, security consultancy Schillings told Computer Weekly few UK companies are implementing effective security training for employees.

“A company can have the biggest security budget in the world, but that will not necessarily stop a person leaking data,” said Schillings delivery director of cyber security David Prince.

He said even larger UK businesses are doing little to minimise that risk through awareness training.

Security awareness can provide vital frontline feedback on how security is handled and perceived in the organisation

David Prince, Schillings

To keep employees on their toes, Schillings regularly sends them phishing emails to test how effective they are at identifying the threat and responding to it.

The company also runs regular data-breach scenarios to test the performance of all those in the organisation who have roles to play in the incident response plan.

“We run these exercises for clients because they are extremely useful in understanding and mitigating risk,” said Prince.

Schillings does not have any rigid awareness training schedule, but closely monitors events in the cyber security world and conducts sessions around any new developments employees should be aware of.

The company makes use of weekly general briefing sessions to highlight information security issues as and when they arise based on cyber threat intelligence gathering activities.

“Security awareness can provide vital frontline feedback on how security is handled and perceived in the organisation,” said Prince. 

Read more on Security policy and user awareness