QA survey reveals how UK businesses plan to tackle 2016 cyber security threats

A comprehensive survey conducted by training company QA reveals that eight out of ten (81%) UK IT decision-makers experienced some sort of data or cyber security breach in their organisation during 2015. 66% said that the breach had led to a loss of data, 45% that it had resulted in a loss of revenue and 42% revealed that such a security episode resulted in “a PR nightmare” for the business. However, despite these findings less than a third (27%) of those professionals questioned plan to invest in cyber security technologies next year.

The survey was conducted in October and November 2015 by specialist research organisation Opinion Matters among a sample of 100 IT decision-makers in the UK from organisations with 500 employees or more. It would appear that not all organisations have learned the necessary lessons from their cyber security episodes, with less than half (43%) of IT decision-makers saying that the breach hadn’t engendered a change of policy and/or procedure.

Perhaps it’s not surprising 40% of those interviewed expressed the view that they “don’t feel confident” they have the right balance of cyber security skills in their organisation to protect it from myriad threats in 2016.

According to those surveyed, the biggest threats posed to corporate security in the New Year will be organised/automated cyber attack (54% of respondents), compromise through employees due to social engineering (11%), a lack of encrypted data (10%), employee negligence re: lost laptops or other mobile devices (8%) and not having in place (or enforcing) security policies and procedures (6%).

Human error is the second largest concern (19%) for IT decision-makers, with both ‘compromise through employees’ and ‘employee negligence’ both featuring in the Top Five threats.

Richard Beck, head of cyber security at QA, informed Risk UK: “One way in which organisations can try and limit the impact of a skills shortage in the IT Department is to increase staff awareness around cyber threats. With one fifth of those surveyed acknowledging that the biggest threat to security next year is likely to be human error, it follows that educating employees on how to detect and deter common threats like social engineering or phishing attacks could prove to be invaluable in helping to defend an organisation.”

Beck went on to state: “This research shows that only 31% of organisations plan to invest in employee awareness and engagement training. However, all companies should be teaching their employees a ‘Cyber Security Code’ until it becomes instinctive. CESG, the National Technical Authority for Information Assurance, has produced a Briefing Paper entitled ‘10 Steps to Cyber Security’ which is a really good place to start for the necessary learning.”

Key areas for investment

When asked about key areas for investment to protect organisations from cyber threats in 2016, over two thirds (70%) of IT decision-makers suggested they plan to invest in hiring qualified cyber security professionals in the coming year. 78% stated that they also expected budgets for hiring to increase next year.

However, hiring isn’t a quick and easy solution. Over eight out of ten (84%) respondents said that it took an average of up to three months to fill a cyber security skilled role on their team. To help address this, 45% are planning to invest in further training for existing cyber security staff and 34% of IT decision-makers said they wish to cross-skill/train other IT staff in cyber security specialisms.

“It’s really interesting to compare and contrast some of these findings,” asserted Beck. “70% of those interviewed told us they plan to invest in hiring cyber security skilled professionals in 2016. However, where will these skilled professionals come from? Everyone is struggling to fill cyber security posts on their teams and it’s likely one organisation’s gain will become another organisation’s loss.”

He continued: “However, it’s encouraging to note there’s a growing acknowledgement that, by training and cross-skilling existing specialist staff, businesses can begin to address the skills gap. The key to making this approach succeed will be engaging the HR Department to work alongside IT in the development of strong staff retention strategies. Those companies that motivate and reward their employees appropriately are far more likely to hold on to their cyber security professionals once they’ve invested time and effort in training them.”

Where to turn for advice

When asked which organisations they would go to for advice on increasing capabilities around cyber security, the findings show that respondents would predominantly turn to the IT sector. An overwhelming 92% of those questioned said they would turn to their IT/technology services partner while almost half (45%) would seek advice from specialist IT vendors.

The Top Ten places for advice on increasing capabilities around cyber security are IT/technology services partners (92%), IT vendors (45%), security consultants/consultancies (25%), Government bodies (20%), training organisations (17%), the Information Commissioner’s Office (16%), an accrediting body (14%), peers (14%), Trade Associations (14%) and work colleagues (9%).

Richard Beck explained: “It would appear that those responsible for the security of organisations are placing the onus on the technology industry to solve their security issues. However, this is only one part of the picture when looking to negate the security risk posed to businesses. A majority of high profile breaches comprise a mix of technological know-how in conjunction with human error.”

Beck added: “It doesn’t matter how robust your technology happens to be. The organisation will still face an element of risk. Pretty much every organisation I can think of is cyber-dependent to some degree. Adopting holistic approaches towards security risk should ensure that staff are educated against ever-increasing cyber threats. It’s also fair to suggest that the responsibility for keeping an organisation’s data safe reaches into every corner of every business.”

ITS’ 2016 predictions

Recently, there has been an upward trend in the use of managed service providers (MSPs). Up until the present, MSPs have mostly been contracted to help with technical and equipment issues, but IT Specialists (ITS) firmly believes there are three areas where MSPs will start to grow their influence next year.

MSPs will become more popular among small to medium-sized businesses. They’ll not only oversee day-to-day technology maintenance needs for the host business, but also look for recurring problems and ways to strengthen the IT infrastructure.

Companies will benefit from the MSPs’ knowledge of industry trends and experience with new technologies.

Also, compliance overlay of management is critical. If the host business is struggling to manage large amounts of data, remain up-to-date on regulations, retain in-house risk management experts or synchronise its goals with regulations, it might well be time to look outside for help.

Lastly, the management of private and public clouds will separate. Current colocation businesses have begun to have their engineers certified for public clouds from a managed services perspective. They’re also looking to add private managed services within their own data centres.

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts