Training? What training? Workers' lack of cybersecurity awareness is putting the business at risk

Employees should be the most effective security control, but instead they create the greatest vulnerabilities, warns report
Written by Danny Palmer, Senior Writer

Human error is the most common cause of data breaches.

Image: iStock

Human error is responsible for the worst data breaches and, because of a lack of cybersecurity awareness, organisations are risking their reputation, customer trust, and potentially their bottom lines when employees mishandle data.

These are the messages from research into approaches to cybersecurity within organisations conducted by AXELOS, a joint venture setup by the UK government and Capita to nurture best practice in business; and it makes grim reading.

The report suggests that organisations are ultimately failing to protect themselves against cyberattacks because even if staff are being provided with cybersecurity training, it isn't adequately informing them about good practice.

This represents a major cause for concern, especially given that recent research by PwC suggests that three-quarters of large organisations suffered a staff-related security breach during 2015, with half of the worst cases caused by human error.

So why are these sorts of data breaches so common? The AXELOS research suggests that it's likely because staff aren't aware of cybersecurity issues, with respondents in a quarter of organisations revealing that under half of staff had taken any sort of awareness programme covering hacking, cyberattacks, or good cybersecurity policy.

However, while the majority of organisations offer employees some security awareness training, only a quarter of executives believe that this training is "very effective" at changing employee behaviour regarding information security.

Meanwhile, only a third are "very confident" that the training provided is actually relevant to staff, despite almost all respondents agreeing that cybersecurity awareness is an important factor in preventing security breaches.

Nick Wilding, head of cyber resilience best practice at AXELOS, argued that the research demonstrates how there's no "silver bullet" for cybersecurity, especially given how "staff should be [businesses'] most effective security control but are typically one of their greatest vulnerabilities".

Describing how financial and reputational damage as a result of a cyberattack can be can be "significant", Wilding warned: "Organisations need to be more certain that they are engaging their people effectively to better equip them to manage the cyber and information security risks they now all face."

Alongside the research, AXELOS has published advice on cybersecurity awareness training which organisations should include "as a minimum" when attempting to educate staff in how to best prevent data breaches.

"The awareness learning you provide should be directly relevant to the work of your employees and the information security risks they face. Staff need the ability to anticipate and withstand the ever-changing methods used by hackers and other cyber criminals," the best practice advice said.

It suggests employees should be aware of threats such as phishing and social engineering, as well as being taught the importance of a strong password and good handling information technique.

Writing in a blog post, Wilding states that good cybersecurity awareness is a must because "cyberattackers have the upper hand -- they only need to be successful once". Therefore, "your people -- all of them -- have to be aware and capable to make the right decisions, every time they're exposed to different cyber risks".

"Preparing them effectively for when, not if, that day comes requires a new approach to learning - one that truly engages them and which uses the latest learning techniques to drive new cyber resilient behaviours," Wilding concluded.

While it's naturally important to do the utmost possible to prevent data breaches, a recent report by the Institute of Directors suggests that those organisations which have lost information following a cyberattack are still scared of reporting the incidents to the authorities.

Read more on cybersecurity

Editorial standards