UK organisations are putting their reputation, customer trust and competitive advantage at greater risk by failing to provide their staff with effective cyber security awareness and capability, according to research.
The study, by AXELOS, into organisations’ approach to information security found that most are underestimating the ‘human factor’ of employee behaviour in corporate cyber risk.
The finding is a cause for concern as UK government research revealed that 75% of large organisations suffered staff-related security breaches in 2015, with half of the worst breaches caused by human error.
In AXELOS’s research, only a minority of executives responsible for information security training in large organisations (500+ employees) said their cyber security training is ‘very effective’.
While 42% said their training is very effective at providing general awareness of information security risks, only 28% said their efforts are very effective at changing behaviour in relation to information security.
For ensuring compliance with regulatory requirements, 37% rated their training as very effective – though only a third rated it very effective in reducing exposure to the risk of information security breaches.
A similar minority of respondents (32%) were ‘very confident’ that the training is relevant to staff, despite almost all (99%) citing security awareness as important to minimising the risk of security breaches.
When asked how many staff had completed their information security awareness programme, respondents in a quarter of organisations said that no more than 50% of staff had done so.
“Despite organisations continuing to invest heavily in technology to better protect their precious information and systems, the number and scale of attacks continues to rise as they discover there is no ‘silver bullet’ to help them achieve their desired level of cyber security,” said Nick Wilding, head of cyber resilience best practice at AXELOS.
“And they often underestimate that the role that their own employees – from the boardroom to the frontline – can play: staff should be their most effective security control but are typically one of their greatest vulnerabilities.”
While praising UK organisations for acknowledging the importance of information security awareness learning, Wilding warned that current training and awareness approaches often aren’t effective.
“Though 32% of organisations are very confident about the relevance of the training they provide, there are nearly two-thirds (62%) that are only ‘fairly confident’,” he said. “Cyber-attacks are now business as usual and the resulting financial and reputational damage can be significant.
“As a result, organisations need to be more certain that they are engaging their people effectively to better equip them to manage the cyber and information security risks they now all face.”