Almost half of UK organisations don’t feel they have the internal skills to deal with cyber threats
New research from business continuity and disaster recovery provider, Databarracks, has reported that almost half of UK organisations (47%) are concerned, about the abilities of their staff to address potential cyber threats.
The findings are part of Databarracks’ seventh Data Health Check report. The survey questioned over 400 IT decision makers in the UK about their IT, security and business continuity practices over the last year, and what they expect to change in the next 12 months.
Only 53% of organisations surveyed felt confident in the abilities of staff to tackle potential cyber threats against the business; the same figure achieved in 2016.
Other significant findings revealed in the survey included:
- 61% of organisations have reviewed their security policies in the last 12 months in response to a cyber threat
- Despite reviewing policies, a staggering 41% of organisations decided not to invest in any safeguards over the last 12 months to protect against evolving cyber threats
- Viruses (44%); Spyware (30%); Ransomware (29%) and phishing attacks (26%) were the biggest cyber-attacks to impact organisations over the last 12 months.
- Ongoing employee awareness training was the safeguard most commonly invested in (34%).
Peter Groucutt, managing director at Databarracks commented: “Unfortunately, we are in the midst of an arms race against cyber criminals. Threats are becoming more frequent and more sophisticated. Organisations are desperately trying to address this by improving preventative measures and investing in education for staff, but as the evidence from the research shows, this is in fact doing little to improve confidence.
While undoubtedly this is a major concern for organisations, it’s important to recognise that the simple steps we take to better equip staff to address threats do have a real effect.
“Phishing and whaling attacks, for example, remain one of the biggest threats to a business. Fundamentally these types of attacks are focused on people not technology, which is why it’s imperative that cyber awareness training is continually invested in. Over the past year we have seen businesses investing in cyber awareness training increase from 26% to 34% and next year we want to see this grow further.
“Just like shoring up your IT infrastructure, the key to improving digital skills confidence amongst staff is more about regularity and consistency than a single grand gesture. It’s about embedding a culture of security, driven from the top-down and horizontally regarded as a critical priority.
Old norms must be challenged, ingrained responses and established processes must be shifted, for everyone. Directors must attend training sessions alongside new starters, and a culture of vigilance, transparency and accountability promoted at all levels, and within all teams.
Groucutt concluded: “In parallel to awareness training, there should be a corresponding tightening of information controls where needed. Workers, including senior managers, only really need access to small proportion of company data in order to work effectively.
Ransomware propagates fastest when vulnerable senior staff possess needless administrator privileges. Proactively categorising users and limiting access to data shares appropriately can significantly limit the spread of malware around your network, and limiting threats amongst staff.”