As part of cyber security awareness month in November Precept the leading cyber-security IT audit provider in Northern Ireland, reviewed a piece of research to benchmark the status of cyber security within UK PLC. This survey covered over 300 cyber and C-Suite professionals, across all industries.
Precept already have worked with many organisations and the public sector, and trained professionals at every level of their career in cyber security; from entry level apprentices, graduates, employees who handle sensitive data, IT professionals, security professionals.
Keith Osborne, the Technical Director of Precept IT, based in Belfast explains the significance of the results:
How many organisations have suffered a cyber security breach in the last 12 months and how did that impact their organisations?
37% of organisations that we surveyed admitted that they had suffered a cyber-attack within the last 12 months, but in reality we expect that this is a much higher number.
Of those who recognised that they has been attacked – the impact on their organisation was significant – both positively and negatively. Positively in that the attack provoked the organisations to change their policies and procedures to allow them to deal with the attack better next time (17%). The negative effects were – loss of revenue, negative PR, and data loss.
Do organisations feel that they have the right balance of skills to protect against a cyber threat in the future?
57% of the respondents felt that they did not have the right balance of skills to protect themselves. But in terms of their main investment into developing skills from within their organisation – employee awareness was the most predominant area of investment for them. 25% of respondents said that they were going to invest in employee awareness and training over the next 12 months, compared to 22% for upskilling their current security teams, and 18% cross skilling their IT teams. It’s universally known that employees can pose the biggest threat to organisations in terms of their lack of knowledge with cyber security, and therefore become easy targets, so these stats are not surprising. QA provides hands-on foundation level cyber training programme to end-users and non-technical personnel, accompanied with an ethical phishing email tool, which allows organisations to test their vulnerabilities before and after employee training activity. This method is widely used and a great way to justify employee training spend. Of those who said that they will not be investing in cyber security protection were almost exclusively those who had not encountered a cyber security attack. We advise organisations to never stop investment into cyber security prevention; non-technical employees, and particularly those who handle sensitive data, should be constantly reminded of the newest forms of cyber-attacks, and therefore the investment of time to keep awareness up should be integral to the safety and security your organisation.
Are organisations struggling to recruit suitable cyber security professionals?
Of the organisations who said that they have unfilled security roles there is a clear skills gap – 64% said that they have been infilled for three months or over. This is quite astonishing and shows that these organisations could be in a vulnerable state as they are failing to fill the roles quickly enough.
Do you think that organisations are making an adequate investment into cyber security professional’s salaries?
41% of respondents reported that wages have not changed over the past 12 months, but 43% said that they had increased. 18% of respondents had seen a 5-10% increase in wages over the past 12 months and 8% saw an increase over 10%. This shows that the market is adjusting to the demand vs supply issues, by increasing the wages, to ensure that they retain and attract the right kind of talent.
Is there evidence to suggest that GCHQ certified training helps an organisation and are organisations aware of this?
Our research shows that if an organisation had suffered a cyber security breach were less likely to have heard of GCHQ training (53% vs 39%), so it is clearly working for many organisations.
There is a significant opportunity to raise awareness of GCHQ certified training as nearly half (44%) said that they were not aware of its existence. The remaining 56% stated that they had heard of it, but only 19% had invested in it.
How is the status of cyber security viewed by different industries?
The survey was a cross section of all industries and 56% of the respondents said that they feel the status of the cyber threat landscape is “much worse” in the recent years. This is not surprising and I would have imagined that it would be higher than this given the complexity of the digital landscape and the unknown territory of the IoT.
Is the UK government seen to be doing enough to tackle cyber threats affecting individuals and organisations?
It was re-announced this week by government, Chancellor Philip Hammond that the government will be investing £1.9 billion into cyber security defenses. Our research that was conducted in October showed that 50% of organisations disagree or strongly disagree that the government is doing enough to tackle cyber threats that affect organisations and individuals. You can view the Government’s website to see what they are doing to support organisations with cyber security. It is very clear from this investment, which is on top of 650m in 2013, that the government wants to ensure that the UK is a safe place to conduct digital business.
So, what help do organisations need from government and industry?
Organisations are telling us that they would like some support from government to include more education and awareness of threat (41%), to implement technical defense solutions (37%), more affordable solutions (13%) and more intelligence around the threat (9%).
In terms of industry support – organisations say that they need financial aid, tech improvements, enforcement and legislation.
Government have their GCHQ certified training courses, which use the intelligence from GCHQ to ensure that the courses they certify have the appropriate quality control in order for organisations to protect themselves as effectively as possible.
With the upcoming European regulations, called European Data Protection Regulation that are due to come into play in May 2018, this will put the onus on organisations to ensure that their staff are appropriately trained, in cyber security. Although we are approaching Brexit, it is likely that our data protection laws will be as stringent, or even more so. The impact on organisations who encounter a cyber breach and their customers data is exposed or stolen could be liable for a fine of up to 4% of their global income.
There are industry standards of cyber certifications such as ISO 27001, and IASME, as well as the government backed Cyber Essentials scheme. The respondents of our research piece said that the industry standards were very valuable (53%), or slightly valuable (38%).