A huge number of companies from all industries is exposed to serious cybersecurity risks and challenges. There is one simple reason why this is happening.
There is a lack of cybersecurity awareness among employees and organizations, a study commissioned by Axelos, has found. Axelos is a joint venture between the UK government and Capita. The study has concluded that UK organizations are putting their reputation, customer trust and competitive advantage at greater risk by failing to provide staff with effective cyber security awareness and capability to defend against cyber attacks.
The research shows that most companies are underestimating that their employees’ behavior can be a big contributor to the corporate cyber risk. According to the UK government’s 2015 information security breaches survey, 75% of large organizations and nearly a third of small organizations suffered staff-related security breaches in 2015, with 50% of the worst breaches caused by human error.
The Axelos report notes that only a few of executives for information security in large organizations think their cybersecurity training is very effective. 40% think they provide effective training for general awareness of cyber risks. Just over a quarter say their efforts are “very effective” at changing behavior in relation to information security.
For ensuring compliance with regulatory requirements, 37% rate their training as very effective, but only 33% rate it very effective in reducing exposure to the risk of information security breaches. Only 32% are “very confident” that the training is relevant to staff, despite almost all respondents (99%) citing security awareness as important to minimize the risk of security breaches.
Respondents also note that no more than 50% of the staff has completed the trainings. This is nowhere near good enough and poses serious risk. For a cybersecurity awareness training to be effective, everyone within a company should have completed it. We do mean everyone. No exceptions.
“They often underestimate the role their employees – from the boardroom to the frontline – can play. Staff should be the most effective at security control, but are typically one of the greatest vulnerabilities”, says Nick Wilding, head of cyber resilience best practice at Axelos. No matter how much a company invests in technology and security, it will all be for nothing if it doesn’t invest in its employees as well.
“Imagine how customers would respond if told that ‘we’re fairly confident that your precious information is safe from attack. Organisations need to be more certain that they engage their people effectively to better equip them to manage the cyber and information security risks they now all face”, adds Wilding.
Axelos has also made a short guide to help executives evaluate if their current methods and techniques are effective.
Image credit: Flickr (CC) / Perspecsys.com Photos