A comprehensive survey conducted by training company QA reveals that eight out of ten (81%) UK IT decision-makers experienced some sort of data or cyber security breach in their organisation during 2015. 66% said that the breach had led to a loss of data, 45% that it had resulted in a loss of revenue and 42% revealed that such a security episode resulted in “a PR nightmare” for the business. However, despite these findings less than a third (27%) of those professionals questioned plan to invest in cyber security technologies next year.
The survey was conducted in October and November 2015 by specialist research organisation Opinion Matters among a sample of 100 IT decision-makers in the UK from organisations with 500 employees or more. It would appear that not all organisations have learned the necessary lessons from their cyber security episodes, with less than half (43%) of IT decision-makers saying that the breach hadn’t engendered a change of policy and/or procedure.
Perhaps it’s not surprising 40% of those interviewed expressed the view that they “don’t feel confident” they have the right balance of cyber security skills in their organisation to protect it from myriad threats in 2016.
According to those surveyed, the biggest threats posed to corporate security in the New Year will be organised/automated cyber attack (54% of respondents), compromise through employees due to social engineering (11%), a lack of encrypted data (10%), employee negligence re: lost laptops or other mobile devices (8%) and not having in place (or enforcing) security policies and procedures (6%).
Human error is the second largest concern (19%) for IT decision-makers, with both ‘compromise through employees’ and ‘employee negligence’ both featuring in the Top Five threats.
Richard Beck, head of cyber security at QA, informed Risk UK: “One way in which organisations can try and limit the impact of a skills shortage in the IT Department is to increase staff awareness around cyber threats. With one fifth of those surveyed acknowledging that the biggest threat to security next year is likely to be human error, it follows that educating employees on how to detect and deter common threats like social engineering or phishing attacks could prove to be invaluable in helping to defend an organisation.”
Beck went on to state: “This research shows that only 31% of organisations plan to invest in employee awareness and engagement training. However, all companies should be teaching their employees a ‘Cyber Security Code’ until it becomes instinctive. CESG, the National Technical Authority for Information Assurance, has produced a Briefing Paper entitled ‘10 Steps to Cyber Security’ which is a really good place to start for the necessary learning.”
Key areas for investment
When asked about key areas for investment to protect organisations from cyber threats in 2016, over two thirds (70%) of IT decision-makers suggested they plan to invest in hiring qualified cyber security professionals in the coming year. 78% stated that they also expected budgets for hiring to increase next year.
However, hiring isn’t a quick and easy solution. Over eight out of ten (84%) respondents said that it took an average of up to three months to fill a cyber security skilled role on their team. To help address this, 45% are planning to invest in further training for existing cyber security staff and 34% of IT decision-makers said they wish to cross-skill/train other IT staff in cyber security specialisms.
“It’s really interesting to compare and contrast some of these findings,” asserted Beck. “70% of those interviewed told us they plan to invest in hiring cyber security skilled professionals in 2016. However, where will these skilled professionals come from? Everyone is struggling to fill cyber security posts on their teams and it’s likely one organisation’s gain will become another organisation’s loss.”
He continued: “However, it’s encouraging to note there’s a growing acknowledgement that, by training and cross-skilling existing specialist staff, businesses can begin to address the skills gap. The key to making this approach succeed will be engaging the HR Department to work alongside IT in the development of strong staff retention strategies. Those companies that motivate and reward their employees appropriately are far more likely to hold on to their cyber security professionals once they’ve invested time and effort in training them.”
Where to turn for advice
When asked which organisations they would go to for advice on increasing capabilities around cyber security, the findings show that respondents would predominantly turn to the IT sector. An overwhelming 92% of those questioned said they would turn to their IT/technology services partner while almost half (45%) would seek advice from specialist IT vendors.
The Top Ten places for advice on increasing capabilities around cyber security are IT/technology services partners (92%), IT vendors (45%), security consultants/consultancies (25%), Government bodies (20%), training organisations (17%), the Information Commissioner’s Office (16%), an accrediting body (14%), peers (14%), Trade Associations (14%) and work colleagues (9%).
Richard Beck explained: “It would appear that those responsible for the security of organisations are placing the onus on the technology industry to solve their security issues. However, this is only one part of the picture when looking to negate the security risk posed to businesses. A majority of high profile breaches comprise a mix of technological know-how in conjunction with human error.”
Beck added: “It doesn’t matter how robust your technology happens to be. The organisation will still face an element of risk. Pretty much every organisation I can think of is cyber-dependent to some degree. Adopting holistic approaches towards security risk should ensure that staff are educated against ever-increasing cyber threats. It’s also fair to suggest that the responsibility for keeping an organisation’s data safe reaches into every corner of every business.”
ITS’ 2016 predictions
Recently, there has been an upward trend in the use of managed service providers (MSPs). Up until the present, MSPs have mostly been contracted to help with technical and equipment issues, but IT Specialists (ITS) firmly believes there are three areas where MSPs will start to grow their influence next year.
MSPs will become more popular among small to medium-sized businesses. They’ll not only oversee day-to-day technology maintenance needs for the host business, but also look for recurring problems and ways to strengthen the IT infrastructure.
Companies will benefit from the MSPs’ knowledge of industry trends and experience with new technologies.
Also, compliance overlay of management is critical. If the host business is struggling to manage large amounts of data, remain up-to-date on regulations, retain in-house risk management experts or synchronise its goals with regulations, it might well be time to look outside for help.
Lastly, the management of private and public clouds will separate. Current colocation businesses have begun to have their engineers certified for public clouds from a managed services perspective. They’re also looking to add private managed services within their own data centres.