UK businesses ramping up cybersecurity training and insurance

12 June 2017 Consultancy.uk

While cybercrime continues to make global headlines, even while much of the effect remains invisible to most users, a new report finds that UK companies are increasingly focusing on training staff and buying insurance cover to offset increasing risks.

Cybercrime has continued to be a key area of concern for people, businesses and governments across the globe. Large scale attacks, such as the recent WannaCry ransom attack, which compromised patient data in the UK’s NHS, while costing companies billions in lost business and creating additional long-term negative effects on share price. Total costs from cyberattacks last year hit an estimated $400 billion, while for businesses globally the figure came in at an estimated $280 billion.

In a new report from Willis Towers Watson, titled ‘Cyber Pulse Survey’, the consulting firm explores key trends of current cybersecurity operations across UK and US businesses, identified by participants of an international survey.

Cyber security risk

The majority of employers are concerned about cybersecurity, with 66% of those surveyed stating that cybersecurity presents a fundamental challenge to their organisation, while 85% said that cybersecurity is a top priority for their organisation.

A large number of respondents said that they intend to embed cyber risk management within their company’s culture, although few believe that risk management and HR work closely on cyber risk management.

Reporting cyber breaches

Cultural Revolution

The study also found that organisations believe that their current culture is one in which employees – whose actions are often the cause of a cyber incident – are comfortable reporting about data privacy and data security.

Researchers noted, however, that employees continue to engage is relatively risky behaviour. 43%, for instance, report receiving a suspicious email at work which is designed to trick them into opening a harmful link or attachment, while 34% report witnessing co-worker behaviour which is inconsistent with data privacy and information security policies – with around 15% taking action with regard to the breach.

Human factors

The paper meanwhile also found that many employees in the UK continue to lack key skills related self-managing cybersecurity risks, with 61% ranking themselves as having ‘insufficient understanding’. Most of the employees, too, are not being trained to mitigate key risks – 46% say that they spent less than 30 minutes in cybersecurity training in 2016, while 27% had no training whatsoever.

Employers are keen to improve the record, with 58% saying that have been working on improving their business operating processes over the past three years, while 72% say that they pay attention to improvements over the coming three years. Respondents are also keen to address factors tied to human error or behaviour, with focus increasing from 52% over the past three years to 74% over the coming three.

Actions for coming years

Change Needed

One way to improve the situation for employers is through cybersecurity insurance cover. Products in the segment continue to be developed, and often requires some form of basic training across organisations. The study notes that 54% of organisations have added/enhanced cyber insurance coverage in the past two years, while 36% plan to do so in the coming two years. Respondents are also keen to comprehensively train employees on cybersecurity risks, 53% in past two years and 52% for coming two years.

While engagement is a key issue from a cybersecurity perspective, training is able to improve the role played by employees in defending basic systems. Reporting on the benefits of training, 78% of employees report improved understanding of the steps taken to secure confidential information, 77% said training increased their sense of personal responsibility for data security at work, and 63% said that it motivated them to manage their own personal computing device.

Vulnerabilities around employee behaviour

The study found that most employees have at least read the company’s policies regarding data privacy and information security, with around 41% using their work computer or cellular device to access confidential company information – 22% say that they have used a personal computing device not approved by their company to do work at home.

Around a third of respondents, respectively, have logged into their work computer or cellular device using an unsecured public network, used their work computer in a public setting, and shared personal employer related information in profiles on social media sites.

Anthony Dagostino, Head of Global Cyber Risk, Willis Towers Watson, said, “As the world has seen with the proliferation of phishing scams, most recently highlighted by the global WannaCry ransomware attack, the opening of just one suspicious email containing a harmful link or attachment can lead to a company-wide event. However there appears to be a disconnect between executive priorities around data protection and the need to invest in a cyber-savvy workforce through training, incentives and talent management strategies.”

News

More news on