UK organisations are putting their reputation, customer trust and competitive advantage at greater risk by failing to provide their staff with effective cyber security awareness and capability to defend against cyber attacks, according to the latest research from AXELOS.
Research into organisations’ approach to information security awareness conducted by AXELOS – a UK government/Capita joint venture – reveals that most are underestimating the role the human element plays corporate cyber risk. The finding is a cause for concern as UK government research found that 75% of large organisations suffered staff-related security breaches in 2015, with 50% of the worst breaches caused by human error.
AXELOS’ research showed that only a minority of executives responsible for information security training in organisations with more than 500 employees believe their cyber security training is very effective. While four in 10 (42%) say their training is very effective at providing general awareness of information security risks, only just over a quarter (28%) say their efforts are very effective at changing behaviour in relation to information security.
For ensuring compliance with regulatory requirements, 37% rate their training as very effective though only a third (33%) rate it very effective in reducing exposure to the risk of information security breaches. A similar minority (32%) are very confident that the training is relevant to staff, despite almost all respondents (99%) citing security awareness as important to minimise the risk of security breaches.
When asked how many staff had completed their information security awareness programme, respondents in a quarter of organisations said that no more than 50% of staff had done so.
Nick Wilding, head of cyber resilience best practice at AXELOS, said: “Despite organisations continuing to invest heavily in technology to better protect their precious information and systems, the number and scale of attacks continues to rise as they discover there is no ‘silver bullet’ to help them achieve their desired level of cyber security.
“And they often underestimate that the role that their own employees – from the boardroom to the frontline – can play: staff should be their most effective security control but are typically one of their greatest vulnerabilities.”
While praising UK organisations for acknowledging the importance of information security awareness learning Wilding warned that current training and awareness approaches often aren’t effective.
He said: “Though 32% of organidations are very confident about the relevance of the training they provide, there are nearly two-thirds (62%) that are only ‘fairly confident’. Cyber-attacks are now business as usual and the resulting financial and reputational damage can be significant. As a result, organisations need to be more certain that they are engaging their people effectively to better equip them to manage the cyber and information security risks they now all face.
“Imagine how customers would respond if told that ‘we’re fairly confident that your precious information is safe from attack’. Equally, reporting to a board of directors that the level of confidence in the organisation’s information security awareness is only “fair” would be given short shrift. If UK company boards are not asking those responsible about the current effectiveness of their awareness learning among their people and what is being done to improve their cyber resilience, then they should be.”
Follow @BizReviewEurope on Twitter.