UK businesses fail at security awareness

UK organizations are putting their reputation, customer trust and competitive advantage at greater risk by failing to provide their staff with effective security awareness and capability to defend against cyber attacks.

Research into organizations’ approach to information security awareness by Axelos reveals that most are underestimating the “human factor” of employee behaviour in corporate cyber risk. The finding is a cause for concern as UK Government research found that 75% of large organizations suffered staff-related security breaches in 2015, with 50% of the worst breaches caused by human error.

Research showed that only a minority of executives responsible for information security training in organizations with more than 500 employees believe their cyber security training is very effective. While four in 10 (42%) say their training is very effective at providing general awareness of information security risks, only just over a quarter (28%) say their efforts are very effective at changing behaviour in relation to information security.

For ensuring compliance with regulatory requirements, 37% rate their training as very effective though only a third (33%) rate it very effective in reducing exposure to the risk of information security breaches. A similar minority (32%) are very confident that the training is relevant to staff, despite almost all respondents (99%) citing security awareness as important to minimise the risk of security breaches.

When asked how many staff had completed their information security awareness programme, respondents in a quarter of organizations said that no more than 50% of staff had done so.

“There is an incredibly high number of security incidents that are caused by, or involve, human error. No person or organisation is infallible and employees will always be a weak link in an organisation’s security chain. A common problem is that organisations can think it’s important to only educate those at the top of the management tree, but this is a dangerous approach. Indeed, we are increasingly hearing stories of cybercriminals looking for a gateway to the network by targeting employees lower down the ladder, quite often via spear phishing. The fact is, every employee who has access to the corporate network is a target, and with hackers using increasingly devious techniques, it only takes one download or one click of the mouse for someone to put the entire company at risk,” Ross Brewer, VP and MD of EMEA, LogRhythm told Help Net Security.

“Imagine how customers would respond if told that ‘we’re fairly confident that your precious information is safe from attack’. Equally, reporting to a board of directors that the level of confidence in the organization’s information security awareness is only “fair” would be given short shrift. If UK company boards are not asking those responsible about the current effectiveness of their awareness learning among their people and what is being done to improve their cyber resilience, then they should be,” according to Nick Wilding, head of cyber resilience best practice at Axelos.