Companies Failing to Improve Insecure Staff Behavior
Sunday, March 06, 2016 - Filed in: General Interest
A lack of cybersecurity awareness among employees is putting companies at greater risk of being hit by attacks, according to a new report by AXELOS.
The survey of 100 business executives with responsibility for information security awareness training within their companies revealed that less than half (42%) of those polled judge their training to be “very effective” when it comes to providing general awareness of security risks.
In addition, just 28% felt their efforts are “very successful” in affecting the security behavior of staff. When you consider that UK Government research found three-quarters of large organizations suffered staff-related breaches in 2015, with half of these caused by human error, companies failing to positively influence the security behavior of their employees is a worrying trend.
Perhaps the most concerning finding was that respondents in a quarter of organizations said at least 50% of their staff had not completed security awareness training at all.
Nick Wilding, head of cyber resilience best practice at AXELOS, said:
“Cyber-attacks are now business as usual and the resulting financial and reputational damage can be significant. As a result, organizations need to be more certain that they are engaging their people effectively to better equip them to manage the cyber and information security risks they now all face.”
Independent consultant Dr Jessica Barker, a specialist in the ‘human side’ of cybersecurity, told Infosecurity the behavior of staff is incredibly important, and it can often be the weakest link in an organization’s security infrastructure.
“Accidental data loss is a huge problem when it comes to security and the malicious insider threat is real and costly,” she continued.
“Some of the issues we are dealing with are curiosity, temptation and the fact that people can understand something on a rational level but not always act in a rational way.”
Whilst the security industry has made positive strides to change the way users interact with the internet in recent years, there is still a long way to go, Dr Barker argues.
“Continuing to raise awareness is the way to tackle this and we need to communicate with business leaders in the right way, educating them about the human elements of cybersecurity, the extent to which it touches on the job role of everyone in their organization and how they can build an empowering cybersecurity culture,” she said.
“Helping organizations and their leaders understand what good information security governance looks like, and how to establish and support such governance, is key. We need to better translate technical messages and we need to move away from fear, uncertainty and doubt, and any perceptions that there is a technical silver bullet which will fix security.”
Note: This a reprint of an article by Michael Hill appearing on the InfoSecurity web site.