Despite the positive effect of UK government cyber security initiatives, more work needs to be done to get real value out of them, a survey has revealed.
The Vanson Bourne research commissioned by security service provider SecureData investigated the impact government security initiatives have had on organisations in 2014.
Only 47% of respondents said the initiatives have helped them communicate the importance of security across their organisations.
Just over a third said that they had used the insights from such initiatives to define IT security standards and policies, with a quarter using information to set security strategies.
But almost a quarter said these initiatives have gone largely unnoticed in their organisation, with 34% also admitting they had not used the insights of Cert-UK in any way.
Just over a third still see professional bodies like (ISC)2 as their primary source for security insights as opposed to only 13% who have sought information from the likes of Cert-UK, while a quarter rely on input from suppliers and service providers.
More on Cert-UK
- UK cyber threat sharing ahead of target, says Cert-UK
- Malware incidents make up 25% of Cert-UK's work in first 100 days
- Cert-UK to drive international cyber security collaboration
- Cert-UK moves to next phase with director Chris Gibson
- CW500 Security: Neil Cassidy, deputy director operations at Cert-UK
- UK reaches key milestone in cyber security
- UK finally launches national cyber emergency team
Only 26% of IT pros polled said initiatives had directly encouraged individual employees to consider IT security more closely.
Smaller organisations also saw a reduced impact from security initiatives, with almost a third of smaller firms saying government initiatives go unnoticed, compared with less than a fifth of organisations with more than 3,000 employees.
SecureData cloud services director Alan Carter said while government initiatives have had a positive impact on IT security over all, there is still some way to go.
“Although initiatives clearly grab c-level attention in major enterprises, they are far less effective at raising awareness in smaller organisations or amongst individual employees. If we want security insights to resonate outside the boardroom, we need to look beyond government programmes,” he said.
Retail sector seeing fewest security benefits
Despite recent high-profile breaches at retailers such as Target, the retail sector is also seeing the fewest benefits from government security initiatives. A third of retail IT pros said initiatives had gone largely unnoticed, while 44% had not used the results in any way and only 4% saw them as an important source of security insights.
“We need to ask if one-off stress-testing exercises are the best approach to raising security awareness,” said Carter.
“By placing the emphasis on responding to attacks, initiatives struggle to convey the need for a complete approach to the security spectrum. Without insights into how to assess risks, detect threats and protect assets before an attack, these exercises become more a measure of the industry’s pulse than a source of valuable strategic advice."
However, the recent updates to the government’s cyber security policies could not have come at a better time, according to Peter Groucutt, managing director at disaster recovery provider Databarracks.
The government recently released new materials to support UK businesses in their fight against organised cyber crime, including an updated 10 steps to Cyber Security guide and a report from GCHQ detailing the most common cyber attacks in the UK and how to prevent them.
“There’s no denying that cyber crime is on the rise," said Groucutt. "In 2014, we performed over 3,000 data restores for our customers – a higher proportion of these than ever before were as a direct result of malicious cyber attacks like CryptoLocker. With these figures only expected to rise, 2015 is the ideal time to make a real push for cyber security excellence within our organisations.
Cyber Essentials Scheme
“Since June of last year when they launched the Cyber Essentials Scheme, the government has been doing some great work in making cyber security accessible to businesses of all sizes. Bigger businesses may be a greater prize to hackers, but smaller businesses tend to have weaker defences, which means that any business that holds customer data is a legitimate target.”
A Databarracks survey revealed more than a third of UK organisations had been affected by a cyber threat in 2014.
The guidance is technical enough to be useful, without alienating any non-technical business owners
Peter Groucutt, Databarracks
“The more worrying figure though, was that 58% of those affected by a threat either made no changes to their security processes, or failed to even review them following the threat,” said Groucutt.
“This mindset is exactly why the Cyber Essentials Scheme is such a valuable resource, especially for SMEs [small and medium-sized enterprises] who perhaps don’t have the capacity in-house for a dedicated security specialist, or the budget to outsource the function,” he said.
Groucutt believes it is important to cultivate a culture of strong cyber security in each and every organisation from the top down.
“The latest updates to security policies from the government have struck a nice balance," he said. "The guidance is technical enough to be useful, without alienating any non-technical business owners.
“It’s making practical security guidance available to businesses of all sizes without being patronising or over-reaching in terms of the resources required. We need to ensure that, firstly, organisations know that resources are there and secondly, that they actually use them."