[BreachExchange] How to boost employee awareness in the age of the insider threat

Fri Mar 11 16:54:41 EST 2016

http://www.information-age.com/technology/security/123461090/how-boost-employee-awareness-age-insider-threat

Britain has become a leading target for cyber criminals, with UK businesses
now experiencing higher numbers of cyber attacks compared to elsewhere on
the planet. According to the UK Government’s 2015 Information Security
Breaches survey, last year UK businesses reported an 81% increase in
security breaches compared to the previous year.

Our recent Corporate Security in 2016 survey of IT decision makers in UK
companies with 500 employees or more confirms that battling the rising tide
of cyber threats is keeping CIOs, CTOs and CSOs awake at night.

And while many have plans to invest in additional security technologies or
employ more skilled security professionals in 2016, increasingly it is
employees that represent the weakest link in the security chain.

Most UK organisations experienced a security breach last year

More than eight-out-of-ten (81%) UK IT decision makers in a survey by QA
found their organisation had experienced a data or security breach in 2015
and that the resulting consequences were serious. In most cases (66%) this
resulted in a breach of data, while almost half of respondents (45%)
reported a loss of revenue. Furthermore, 42% said their organisation had
had to deal with a PR nightmare as a result of a cyber attack.

When it came to identifying the biggest threat to corporate security in
2016, IT decision makers were clear. Organised or automated cyber attacks
topped the list for 54%, and was a particular concern for those that had
suffered a security breach in 2015 (58%).

But, one-fifth went on to state that the second biggest threat they faced
in the coming year was hackers gaining access to the company as a result of
human error.

All of which explains why IT decision makers expressed a growing concern
that corporate colleagues frequently underestimate the impact of not
following cyber security procedures.

Key issues were that security policies and procedures were not being
enforced, and that ordinary end users are frequently kept in the dark when
it comes to security awareness and responsibilities. Other concerns
included the risk resulting from employee negligence in relation to lost
laptops or other mobile devices (8%), and a lack of encrypted data (10%).

Responses to the cyber threat

Once bitten, twice shy appears to be the name of the game when it comes to
a data or security breach, with over half (57%) of respondents confirming
policies and procedures had been changed as a result.

A further 77% went on to say that they would be looking to hire additional
qualified cyber security professionals in 2016 to address skills deficits
within the IT organisation.

But IT leaders aren’t relying on recruitment alone to plug the skills gap.
Almost half (45%) are looking to invest in further training for existing
security professionals, and over a third (34%) intend to cross-skill other
IT staff in cyber security.

There was also a clear acknowledgement from some IT leaders that while the
latest security technologies and top flight professionals will protect core
systems, employees remain the weakest link when it comes to securing the
enterprise.

>From opening attachments, to following links from emails, end user
behaviours can inadvertently let hackers in through the back door.

But while a third (31%) of the survey respondents said 2016 will see them
investing in enabling greater employee awareness and engagement in cyber
security, 36% of organisations had no plans to undertake user awareness
training in 2016.

That’s a concern, when you consider that even back in 2013 industry
analysts IDC were reporting that more than 60% of external attacks were
targeted at employees via social engineering.

And there’s clear evidence that hackers are increasingly looking to access
a company’s network via its staff; the Government’s 2015 Information
Security Breaches survey reveals that last year there was a noticeable 38%
year-on-year increase of unauthorised outsider attacks on large
organisations which included activities such as spear phishing attacks and
identity theft.

Covering all bases

With the threat landscape escalating, IT leaders confirm that as well as
battling with internal inertia and a lack of an appropriate security skills
mix within the IT team, cyber security budgets are also under pressure.
Although 27% were planning to invest in additional cyber security
technologies in 2016, over a third (36%) said that budgets for such
technologies will shrink this year.

All of which may explain why IT leaders are now focusing on boosting the
profile of cyber security at every level of the organisation itself;
tightening security protocols, enforcing security policies and procedures;
and increasing staff awareness of cyber threats.

Indeed, there appears to be a growing recognition that companies should
ideally ensure all employees are taught a basic ‘Cyber Security Code’ as a
bare minimum. As UK organisations look to pull up the security drawbridge
and improve cyber security systems, communication, education and training
represents an essential step to changing user behaviours.

With threat levels continuing to elevate, ensuring everyone is ‘on side’
with security responsibilities means giving people the skills and knowledge
that empower them to become the strongest link in defending the enterprise.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160311/64ceab35/attachment.html>