Cybersecurity progress being made but people remain weak link

15 December 2017 4 min. read
More news on

Poor cybersecurity has been estimated to cost up to $480 billion in lost GDP globally. A new survey has found that the US and UK are making major progress on the matter, with around 70% of both respondent groups stating they had improved business processes.

Cybersecurity has increasingly climbed the corporate agenda as the scale and sophistication of attacks increases. A recent report from Grant Thronton showed that cybersecurity related incidents are estimated to have cost businesses $280 billion in 2016 globally. In a new report from Willis Towers Watson, current trends in the UK and US cybersecurity defences are examined.Progress made in respective areasResearchers expect progress in the area over the coming three year spell, as more companies develop defences across organisations to mitigate the vulnerability to a cyberattack, compared to three years earlier. The study notes, however, that two areas are to see decreased focus, with ‘improving the technology systems and infrastructure’ falling 8 percentage points among respondents’ priorities in the US to 68%, and 9 percentage points in the UK to rest at 66%.

Over the next three years, business will be made on ‘improving business and operating processes’ instead, which will rise by 14 percentage points and 23 percentage points in both the US and UK respectively to 72% and 69%. ‘Addressing the factors tied to human error or actions’ will likewise see advances, rising by 22 percentage points in the US and 35 percentage points in the UK, to 74% and 75% of respondents respectively.

One of the key methods of gaining entry to an organisation is social engineering. The technique basically leverages weaknesses in staff procedures, peoples’ natures and other facets of the social realm, to gain access to key information, which can then be leveraged in a more wide-ranging attack. Training staff to better avoid falling into one of the many traps set by adversaries is, as mentioned before, increasingly seen as a key route to limiting the utilisation and effectiveness of the vector.Behaviour in linked to training timeOther areas saw varying levels of time invested into training, although the research noted that more time spent on training saw improved results for outcomes. To map outcomes, researchers from the consultancy firm categorised four different groups. These include: “Alert’, or those who protect personal information in daily life and are aware of information security at work; ‘Comply’, those who follow data/information protection policies at work but are careless on a personal level; ‘Ignore’, those who pay attention to protecting personal information, but who don’t act with the same care at work; and ‘Unconcerned’, those whose technology usage patterns at home and work may lead to potential cyber risks.

Education is key

The research noted that the difference between less than 20 mins of training and at least half a day saw a considerable increase in the Comply category, up from 17% to 38%, alongside a small increase in the Alert category, and a large decrease in the Ignore category. The research also noted that, overall, generation Y respondents were the least careful with data protection and information security, reflecting a need to develop training protocols specifically for the group. Time spent on cyber training in the last yearOther areas in which differences were noted between levels of awareness and cybersecurity related work safety related to occupation and gender. Interestingly, non-IT workers were considerably more likely to be alert compared to IT workers when it came to data protection and information security – the percentage of those alert between the respective groups stood at 42% and 20%. Those in IT were also slightly more likely to be in the Ignore category, at 24% and 17% respectively – possibly out of complacency due to their relative expertise in the area.

The move to improve the wider cybersecurity landscape by offering a variety of different insurances is creating a burgeoning ecosystem. Insuring against largest scale attacks remains problematic, however, with the potential high-cost of covering certain types of events, such as the Sony or Yahoo hacks, being prohibitive on the industry. In smaller cases, however, products have become available.

In terms of the kinds of breaches that garner claims, employee negligence or malfeasance tops the list, at 66% of all claims. External factors take the number two spot at 18% of claims, while 9% fall under other. Cyber extortion and network business interruption, are relatively unused. Companies in the UK are increasingly focused on helping companies deal with training personnel to avoid the worst kinds of attacks.