Corporate Security in 2016.

Transcription

1 Corporate Security in A QA Report Study Highlights According to ThreatMetrix, businesses in the UK are at greater risk of cybercrime than any other country in the world. In a recent survey carried out by QA amongst IT decision makers in the UK, worringly 40% admit their organisation doesn t have the right balance of cyber security skills to shield them from threats in HALF Nearly of organisations have not changed policies and procedures after an attack. This Cyber Skills Gap leaves organisations vulnerable to cyber security breaches, as the majority of respondents have already discovered to their cost. Alarmingly, over 80% of the respondents say their organisation suffered a data or security breach in 2015 alone resulting in a loss of data, loss of revenue and / or considerable PR damage. What is most concerning is that nearly half (43%) say that their organisations have not changed their policies or procedures as a result of a breach, indicating that they are still vulnerable. The good news is that staff awareness training and cross-skilling can help detect, deter and defend against cyber threats and more than a third of the participants plan to increase the budget for user training in the coming year. P a g e 1

2 About the Study QA s study of cyber security is based on a survey of 100 IT decision makers in UK companies with 500 employees or more, which was undertaken in October and November, Key Findings Most organisations experienced a security breach last year 45% reported a loss of revenue. Eight out of ten (81%) IT decision makers say their organisation experienced a data or security breach in The consequences can be serious: in most cases (66%) this resulted in a breach of data, and almost half of respondents (45%) reported a loss of revenue. Four in ten (42%) found their organisation dealing with a PR ordeal as a result. The risk of data or security breach should not be underestimated as only one in five (19%) organisations were unaffected in Organised cyber attack is perceived as the biggest threat Over half of IT decision makers (54%) believe that organised/automated cyber attack is the biggest threat to the security of their data systems in the coming year. This is a particular concern to those who suffered a security breach in 2015 (58%, compared to 37% who were unaffected), presumably because they have recently dealt with the consequences of a data breach and fear being hit again on a larger scale. Only 8% believe that employee negligence is a big threat. Interestingly, only 8% believe that employee negligence is a big threat to the security of data and systems. Richard Beck, Head of Cyber Security at QA, says: The threat of an organised cyber-attack on your organisation may keep you awake at night, but the real challenge is not technical at all, it comes down to organisational behaviours instead. The people within our organisations are often the biggest weaknesses in the system that the bad guys seek to exploit. P a g e 2

3 Businesses must be protected from human error Whilst automated or organised cyber attacks are the first area of concern for over half of the respondents, only one in five worry about the impact of human error. Only 20% worry about the impact of human error. QA s research also reveals that one in ten respondents worry that their organisation could be compromised because employees don t follow, or are not aware of, security policies: 6% say that not having / enforcing security policies and procedures is an issue, and 4% highlight a lack of security training and awareness. Richard Beck, Head of Cyber Security at QA, says: A large majority of high-profile breaches comprise a mix of technological know-how and human error. With a fifth of those surveyed acknowledging that the biggest threat to security next year is likely to be human error, educating staff on how to detect and deter common threats like social engineering or phishing attacks could prove invaluable in helping to defend an organisation. Too little, too late Over half of respondents reported that policies or procedures were changed after a data or security breach in This suggests that, in many cases, organisations learn from experience so it s vital to invest in cyber skills. Of course, by this stage, a breach has already occurred and unfortunately, not all UK organisations learn from their mistakes: 43% of those surveyed indicated that their organisations failed to improve their cyber security systems or change their policies and procedures following a breach, putting them at risk of a repeat incident. The cyber skills gap makes organisations vulnerable Four out of ten IT decision makers (40%) admit that they don t have the right balance of cyber security skills in their organisation to protect it from threats in the coming year. Almost a quarter (24%) say that they are concerned about not being adequately protected, but 23% are seeking to address! P a g e 3

4 40% admit that they don t have the right balance of cyber security skills. their shortcomings and plan to improve their balance of cyber security skills. Significantly, those who experienced a breach in 2015 are less confident about their organisation s ability to evade cyber threat: 58% of those who suffered a breach say that they have the right balance of skills in place to protect their organisation, compared to 68% of those who were not affected. Organisations feel more vulnerable in the wake of a breach, even if they have tightened up security protocols in response: more than a quarter (27%) of those who fell victim to a data or security breach in 2015 are concerned about their security in 2016, compared to 11% of those who were unaffected in the last twelve months. Recruiting cyber professionals is a slow and costly route to confidence Seven out of ten respondents (70%) say that they will be hiring qualified cyber security professionals in 2016, rising to 77% of those who experienced a breach in Those who didn t suffer a breach are much less inclined to do so, with only four in ten (42%) planning to invest in this area. Hiring cyber security professional alone could lead to a false sense of security. Overall, almost eight out of ten (78%) IT decision makers say that their budget will be increased in 2016 to enable them to appoint these positions, particularly those who had issues in 2015: 81% of these say that they expect their budget to be increased, compared to 63% of those who avoided cyber threats in the last year. Although IT decision makers may feel more confident about corporate security when they have cyber security professionals in place, hiring is far from a quick fix as the recruitment process can take several months. Around four in five respondents (81%) say that it takes between one and three months to fill a cyber security / security professional skilled role, and a further 13% say that it takes between three and six months. In light of this, Richard Beck believes that organisations would do better to invest in staff training instead. He says, Where will these skilled professionals come from? Everyone is struggling to fill cyber security posts on their team and one organisation s gain will become another organisation s loss. P a g e 4

5 Skills trump technology Just over a quarter of those surveyed (27%) plan to invest in cyber security technologies in 2016, with those who didn t experience a breach in 2015 more likely to increase their budget in order to do this (58%) than those who did (40%). Furthermore, over a third (36%) of respondents expect that their budget for cyber technologies will be reduced, and this is especially true of those who have recently experienced a breach: 44% say that their budget will shrink, compared to 0% of those whose data remained secure in IT decision makers are planning to invest in further training and employee awareness. Instead of (or as well as) spending on cyber security technologies, IT decision makers are planning to invest in further training of existing security professionals (45%), crossskilling/training other IT staff in cyber security (34%), and investing in employee awareness and engagement in cyber security (31%). This indicates that UK organisations recognise that training staff in cyber awareness is a cornerstone of corporate security. Richard Beck says: It s encouraging to see that there is a growing acknowledgement that by training and cross-skilling existing specialist staff, companies can begin to address the skills gap. IT departments take responsibility for cyber security For almost all respondents (98%), the IT department has responsibility for cyber security. Fewer than one in ten IT decision makers (8%) say that HR is expected to deal with cyber security, with only 6% saying that this falls under the remit of Operations. Most IT decision makers (96%) believe that IT should continue to take responsibility. However, a small percentage (7%) would like to see Operations playing a more active role, and 5% would like Finance to be more involved. Richard Beck believes that the ideal approach is for IT and HR to work together, to develop and retain cyber professionals. He says: The key to making this approach work will be engaging the HR department to work alongside IT to develop strong staff retention strategies. Those companies that motivate and reward P a g e 5

6 their staff appropriately are far more likely to hold on to their cyber professionals once they ve invested in training them. Surely it is time security professionals shared some of the skills gap responsibility with their colleagues in HR Decision makers turn to the IT industry for advice All companies should be teaching employees a Cyber Security Code. No matter how robust technology is, there is still an element of risk. When seeking advice on improving/increasing their cyber security capabilities, most IT decision makers would turn to the IT sector: more than nine out of ten (92%) would ask their IT or technology services partner, and almost half (45%) would approach IT vendors. In addition, a quarter of IT decision makers (25%) would turn to security consultants, and one in five (20%) would approach government bodies. Richard Beck says: It would appear that those responsible for the security of organisations are putting the onus on the technology industry to solve their security issues. However, this is only one part of the picture when looking to negate the security risk to businesses. It doesn t matter how robust your technology is, you still face an element of risk. Pretty much every organisation I can think of is cyber-dependent to some degree. A holistic approach to security risk should ensure staff are educated against everincreasing cyber threats. Responsibility for keeping an organisations data safe reaches into every corner of every business. But sharing new skills is an effective form of safeguarding All companies should be teaching employees a Cyber Security Code. With this in mind, it s significant that around one in six (17%) IT decision makers would approach training organisations for advice, and almost one in ten (9%) would ask their colleagues. This highlights the value of investing in specialist training once these skills are developed within an organisation, they will automatically be shared amongst staff. Richard Beck says: We often hear about patching common application vulnerabilities, however human weaknesses are the vulnerabilities that are in need of urgent patching. Poor security practices and under investment in security training and awareness will continue to be at the root for almost all data breaches until we prioritise the human element of the cyber threat. Clearly, people represent one of the key domains of any effective cyber security strategy. Helping staff understand the part they P a g e 6

7 play in keeping information secure is an essential first step, and educating staff on how to detect and deter common threats like phishing and social engineering can prove invaluable in helping to defend an organisation. All companies should be teaching employees a Cyber Security Code until it becomes instinctive. CESG, The National Technical Authority for Information Assurance, has a paper entitled 10 Steps to Cyber Security which is a really good place to start for this. Additional findings * Only 19% of IT decision makers did not experience a data or security breach in 2015 * 60% of respondents believe that they have the right balance of cyber security skills to protect their organisation from threats in the coming year * 76% of IT decision makers believe that the UK Government is doing enough to tackle cyber crime * 21% of IT decision makers who did not experience a breach in 2015 worry that the biggest threat to the security of their data and systems in 2016 will be employee negligence * None of the IT decision makers surveyed plan to reduce their budget for further staff training for security professionals in 2016 * Just 3% of respondents say that they can fill a cyber security role on their team in up to one month P a g e 7

8 Conclusions and Implications The study results show that four out of ten UK IT decision makers organisations currently lack the balance of cyber security skills that they need to protect their organisation from threats in In order to remedy this, almost eight in ten plan to increase their budget for hiring qualified cyber security professionals, which can be a lengthy process. IT decision makers are beginning to recognise the value of investing in further training of existing security professionals, as well as investing in employee awareness ensuring that employees are better placed to help defend their organization.. This can prove invaluable given human error is, according to respondents, the second greatest threat to business after organised/automated cyber attack, with more than half of the worst security breaches in 2014 caused by staff. Not investing in user awareness is a false economy as a cyber attack could cost a large organization in excess of 1M Unfortunately, 36% of organisations don t plan to undertake user awareness training at all in the next year, even though it can be a cost-effective way to detect and deter common threats like social engineering and phishing attacks. This seems like a false economy given that a cyber attack could cost a large business in excess of 1million. However, these figures could simply reflect the fact that staff working for organisations that have recently suffered a breach are already more aware of cyber threats, or are now operating according to new or improved security policies which have been designed to identify and deflect increasing cyber threats. The good news is that organisations that did not experience a breach in 2015 are now taking a proactive approach to corporate security: 58% plan to increase their budget for awareness training of cyber-crime and threats in 2016, compared to 33% of those who were affected in This bodes well for corporate security in 2016, and indicates that UK organisations are beginning to recognise that the responsibility for cyber security extends right across the business. P a g e 8

9 About QA QA is one of the largest learning services organisations in the UK, developing skills and capabilities for everyone from apprentices to business leaders, and has a client base covering 80% of the FTSE 250. QA offers the only end-to-end cyber security curriculum in the UK, including full courses across Cyber Certifications, Cyber Assurance and Cyber Defence. To learn more about QA and the courses it offers, visit P a g e 9