New research from AXELOS claims that UK businesses are putting their reputation, customer trust and competitive advantage at significant risk by failing to provide staff with the requisite cyber security skills and awareness.
It’s worth recalling that two of the key points to emerge from the major 2015 ‘Information security breaches survey’ undertaken on behalf of the Department for Business, Innovation and Skills (BIS) were:
- Nearly nine out of ten large organisations surveyed now suffer some form of security breach – suggesting that these incidents are now a near certainty
- People are as likely to cause a breach as viruses and other types of malicious software
Despite these warnings, this latest research from AXELOS shows that most UK organisations are still underestimating the ‘human factor’ of employee behaviour in corporate cyber risk.
The study reveals that only a minority of executives responsible for information security training in organisations with more than 500 employees believe their cyber security training is ‘very effective’. Four in 10 say their training is ‘very effective’ at providing general awareness of information security risks, while just over a quarter say their efforts are ‘very effective’ at changing behaviour in relation to information security.
When asked how many staff had completed their information security awareness programme, respondents in a quarter of organisations said that no more than 50% of staff had done so.
Of course, compliance with regulatory requirements is also an increasing challenge for businesses of all sizes. Worryingly, only 37% of the respondents to the AXELOS survey rated their training in this area as ‘very effectiv’”.
Nick Wilding, head of cyber resilience best practice at AXELOS, put the results into context when he said: “Though 32% of organisations are very confident about the relevance of the training they provide, there are nearly two-thirds (62%) that are only ‘fairly confident’.
“Imagine how customers would respond if told that ‘we’re fairly confident that your precious information is safe from attack’. Equally, reporting to a board of directors that the level of confidence in the organisation’s information security awareness is only ‘fair’ would be given short shrift. If UK company boards are not asking those responsible about the current effectiveness of their awareness learning among their people and what is being done to improve their cyber resilience, then they should be.”
RESILIA™ is a portfolio of training, learning and certification aimed at building cyber resilience across the organisation, from the boardroom down. Find out more here.