How UK businesses plan to tackle security threats in 2016
81% UK IT decision makers experienced some sort of data or cyber security breach in their organisation in 2015, according to training company QA. 66 per cent said that the breach had led to a loss of data, 45 per cent said that it had resulted in a loss of revenue, and 42 per cent said that it had resulted in a PR nightmare for the business. Despite this, however, less than a third (27%) plan to invest in cyber security technologies next year.
It would also appear that not all organisations have learnt from their experience, with less 43% of IT decision makers saying that the breach had not resulted in a change of policy and procedure. Perhaps it’s not surprising that 40 per cent said they didn’t feel confident they had the right balance of cyber security skills in their organisation to protect it from threats in 2016.
The biggest threats to corporate security in 2016:
1. Organised/automated cyber attack (54%)
2. Compromise through employees e.g. social engineering(11%)
3. Lack of encrypted data (10%)
4. Employee negligence e.g. lost laptops or other mobile devices (8%)
5. Not having or enforcing security policies and procedures (6%).
Human error is the second largest concern (19%) for IT decision makers, with both ‘compromise through employees’ and ‘employee negligence’ both featuring in the top five threats.
Richard Beck, Head of Cyber Security at QA, said: “One way that organisations can try and limit the impact of a skills shortage in the IT department is to increase staff awareness of cyber threats. With a fifth of those surveyed acknowledging that the biggest threat to security next year is likely to be human error, educating staff on how to detect and deter common threats like social engineering or phishing attacks could prove invaluable in helping defend an organisation.
Key areas for investment in 2016: Skills rather than technology
When asked about key areas for investment to protect the organisation from cyber threats in 2016, over two thirds (70%) of IT decision makers said they plan to invest in hiring qualified cyber security professionals in the coming year. 78 per cent said that they also expected budgets for hiring to increase next year. However, hiring isn’t a quick and easy solution.
84% of respondents said that it took on average up to three months to fill a cyber security skilled role on their team. To help address this, 45 per cent say they plan to invest in further training for existing cyber security staff and 34 per cent of IT decision makers said they planned to cross-skill/train other IT staff in cyber security specialisms.
Richard Beck, went on to say: “It’s really interesting to compare and contrast some of these findings. 70 per cent of those interviewed said they planned to invest in hiring cyber security skilled professionals in 2016. However, where will these skilled professionals come from? Everyone is struggling to fill cyber security posts on their team and one organisation’s gain will become another organisation’s loss.
“It’s encouraging however to see that there is a growing acknowledgement that by training and cross-skilling existing specialist staff, companies can begin to address the skills gap. The key to making this approach work will be engaging the HR department to work alongside IT to develop strong staff retention strategies. Those companies that motivate and reward their staff appropriately are far more likely to hold on to their cyber professionals once they’ve invested in training them. Perhaps it is time security professionals shared some of the skills gap responsibility with their colleagues in HR?”
Where businesses turn for advice?
When asked which organisations they would go to for advice on increasing capabilities around cyber security, the findings show respondents would predominantly turn to the IT sector. An overwhelming 92 per cent said they would turn to their IT/technology services partner and almost half (45%) would seek advice from IT vendors.
Top 10 places for advice on increasing capabilities around cyber security:
1. IT/technology services partner (92%)
2. IT vendors (45%)
3. Security consultant/consultancy (25%)
4. Government bodies (20%)
5. Training organisations (17%)
6. The Information Commissioner (ICO) (16%)
7. Accrediting body (14%)
8. Peers (14%)
9. Trade & Industry associations (14%)
10. Colleagues (9%).