The news headlines are increasingly filled with news of cyber attacks hitting organisations, as they become more prevalent and sophisticated. It is therefore of no surprise to hear that the UK Government has decided to invest £1.9 million over the next five years into protecting Britain from cyber attacks. Consequently, cyber security has become a hot topic for UK businesses. Meanwhile, a shortage of skilled cyber security professionals is likely to push up the cost of protecting the enterprise from the cyber criminals intent on targeting UK companies.
As the findings of our recent Corporate Security in 2016 survey reveal, IT leaders at organisations employing 500 or more employees are bracing themselves to counter an ever evolving threat landscape. No surprise, when you consider that 81% confirm they’d experienced some sort of data or cyber security breach in their organisation in 2015.
Here are the top corporate security trends, identified by the study.
Trend 1: Organised cyber attack is the biggest threat to corporate security
Over half of IT decision makers (54%) confirm that organised or automated cyber attack represents the biggest threat to the security of their data systems in 2016. Despite this, 43% of those that had experienced a breach went on to say that they had failed to improve their cyber security systems or change their policies and procedures, putting them at risk of a repeat incident.
But the second highest concern for IT leaders was protecting the business from the impact of human error. Almost one-in-five respondents (19%) were worried about data being compromised if users fall victim to common threats such as social engineering or phishing attacks, or the loss of laptops and mobile devices.
General malaise on the issue of cyber security appears an endemic aspect of corporate culture for many firms. Around 10% of IT leaders worried that their organisation risked compromise because employees don’t follow, or are not aware of, security policies. For some, this was a direct result of consistent failure to train or educate staff in how to detect and deter common threats or adhere to basic security hygiene behaviours, for example: use strong passwords, ‘don’t click on suspicious embedded email links’, never leave your laptop or mobile device unattended. Others were frustrated at an organisation-wide failure to enforce security policies and procedures.
Trend 2: The cyber skills gap puts organisations at risk
Four-out-of-ten IT decision makers (40%) admit that currently they lack the right balance of cyber security skills within the IT department to protect the organisation from threats in the coming year. In response, almost a quarter (23%) had plans in hand to address these shortcomings and improve their balance of cyber security skills. These plans include a mix of classroom, online learning and mentoring skills. In addition, some are also exploring the more practical application of knowledge through a simulated cyber attack where employees can practice to defend their systems. In addition, over two thirds (70%) of IT decision makers said they plan to invest in hiring qualified cyber security professionals in the coming year. However, hiring the right people is not always a quick fix; around 13% of survey participants said it can take between three and six months to fill a skilled security role.
To plug the skills gap, some IT leaders are turning to Operations teams to play a more active role in corporate security issues. Others, meanwhile, are reaching out to the HR department to put in place strategies designed to develop, train and retain existing cyber professionals within the enterprise.
Trend 3: Technology budgets are under pressure
Around a quarter (27%) of IT leaders will be investing in cyber security technologies in 2016. Those that did not experience a breach in 2015 were more likely to do this (58%) than those who did (40%). Yet over a third of respondents (36%) were expecting their budget for cyber technologies will be reduced this year; this was especially true for those who had recently experienced a breach (44%).
With technology budgets under pressure, IT decision makers say they are looking to up-skill existing professionals. More than a third (37%) are investing in further training for security professionals, with a further 39% increasing their spend on cross-skilling and training other IT staff so they can engage in cyber security responsibilities.
Almost one-fifth (17%) also say they are talking to specialist training companies about approaches that will enable them to embed, share and cascade cyber security learning and skills across enterprise IT and security teams.
Trend 4: Cyber security is everyone’s business
With UK organisations feeling vulnerable in the face of increased cyber crime activity, many IT leaders are looking to boost their first line of defence by increasing staff awareness of cyber threats. It’s a positive approach that can help limit the impact of a skills shortage in the IT department.
Almost four-in-ten (38%) IT leaders say they anticipate an increased budget for user training and awareness of cyber crime in 2016. A further 31% went on to say they want to ensure all employees are actively engaged in cyber security protocols and are made aware of what constitutes ‘negligence’ on this issue.
Trend 5: IT leaders seek advice from multiple parties
When it came to advice on how to increase an organisation’s cyber security capabilities, the first port of call for 92% of IT decision makers was their IT and technology services partner, with 45% saying they will also approach IT vendors. Security consultants (25%) and government bodies (20%) were also high on the ‘trusted advisor’ list, as were training organisations (17%) and the Information Commissioner’s Office (16%).
These findings highlight how organisations are still looking to the technology industry to solve their security issues. Nonetheless, there does appear to be a greater awareness that while this may be important when it comes to protecting core systems, negating security risk to the wider business requires a more holistic approach. This includes making sure everyone is aware of their responsibility when it comes to keeping an organisation’s data safe.
The study results show UK IT decision makers taking proactive actions to counter the impact of skills shortages within the IT department and technology budgets in ‘lock down’. The number of high profile incidents in the media last year has resonated even with those organisations unaffected by a cyber attack. For example, 58% of IT leaders whose organisations did not experience a breach in 2015 said budgets for staff awareness training of cyber-crime and threats will be increased this year. All of which indicates that UK organisations are starting to recognise that responsibility for cyber security extends to everyone working across the business.