UK workers aware of cyberthreats but hostile to IT departments

13 November 2018 Consultancy.uk

According to a new study, almost 80% of UK workers see regulatory and security compliance as the responsibility of everyone in an organisation. However, while awareness of issues relating to cybersecurity in the UK is high, many employees remain openly hostile to their IT department, and would actually blame the department for a hack, even if their own actions triggered a cyberattack.

Despite the prevalence of data breaches today, the way employees approach security has not changed dramatically – and in many cases is getting worse. A recent study found that while close to two-thirds of individuals are “really worried” about digital identity theft, more than one in 10 workers would share their password with a colleague, among other issues. This illustrated that, despite heightened knowledge of new threats, workers still have bad habits when it comes to both corporate and personal security.

Following on from this, another survey from identity governance provider SailPoint has found that some employees are even actively fighting against IT and their mandates in the search for efficiency. SailPoint’s 2018 Market Pulse Survey has drawn together a global survey from independent research firm Vanson Bourne of 1,600 employees at organisations with at least 1,000 employees across Australia, France, Germany, Italy, Spain, the United Kingdom and the United States. The survey found that while the UK is outperforming comparable nations on many cybersecurity fronts, there is still plenty of room for improvement.

Awareness fails to translate

According to the study, UK staff are more aware of emerging threats in today’s increasingly digitised business arena. 50% of British-based respondents told researchers they were either already comfortable enough to use AI chatbots/personal assistants or plan to do so, above the global average of 48%. At the same time, only 38% of UK participants said they did not understand what GDPR is or how it impacts on them, compared to a much higher global average of 66%. Finally, UK workers were also the most informed when it comes to the importance of compliance mandates across their business, as almost 80% believed that every employee plays a role in compliance – nearly 20% above the global average of 63%.

Friction between IT and business increases

The heightened awareness of new technology, regulations, and threats among UK employees has yet to fully translate into reformed actions, however. SailPoint also found that the majority of respondents from Britain still played fast and loose with their personal details, including infrequent password changes, re-using passwords across different accounts, and duplicating passwords between work and personal email accounts – meaning that if hackers obtain personal details at home, rudimentary research could also see them breach an entire company.

On top of this, a shocking 16% said they would consider selling their workplace passwords to a third party. While this might indicate that many staff in the UK – where wages continue to languish below levels seen in 2008 in real terms – are unhappy with their lot at their present employers, it also opens up a major window of opportunity for billions of pounds of damage to companies and their customers. It is also narrowly higher than the global average of 15%.

Hostility

Meanwhile, on top of the fact many employees are yet to change their ways in terms of cybersecurity, many are openly hostile to the IT departments tasked with preventing breaches. At 60%, a majority of staff said they regard IT departments as a nuisance, 5% higher than the global average.

At the same time, 30% of UK participants said they prefer to purchase and deploy software without IT’s input, opening themselves up to threats like ransomware. Compounding this threat further, more than one in every ten UK employees would not contact IT immediately if they believed they had been hacked – potentially allowing malicious individuals longer to source valuable confidential information.

Despite the added risks incurred by the behaviour of employees, the survey also found that it would be the IT department which catches the blame. Although it is lower than the global average, it is surely a cause for concern in companies that a sizeable minority of 46% are so hostile toward their IT departments, they would blame them for a cyberattack if one occurred as the result of an employee being hacked.

This breakdown in trust suggests that attempts to improve cybersecurity at top firms could be plagued by issues in the coming years, unless it is addressed. Recent statistics have suggested that the average cost of a data breach at a larger firm is £20,000, a loss many firms will be keen to stamp out as quickly as possible.

Outlining actions companies could take to help turn this situation around, Juliette Rizkallah, CMO at SailPoint, said, "With hackers increasingly targeting employees as a means of entry into the enterprise with the dissipation of the traditional perimeter, securing identities is more important than ever before... The best way to address these challenges is with an identity-centric approach to cybersecurity. With identity governance, organisations can embrace the new technologies that come with the digital transformation, enabling their workforces while also providing IT the visibility and security they need in their increasingly complex IT environments. Without identity governance, organisations risk being exposed by employees’ bad habits and the rapid changes introduced through digital transformation.”

×

Boards of top UK firms must do more on cyber-awareness

06 March 2019 Consultancy.uk

A new report released by the UK Government has found that UK businesses need to do more to build awareness in their firms, if they are to fend off cyber-attackers. The study found that an all-time high of 72% of businesses now see cyber-threats as a top risk, but just less than half of UK boards do not have a comprehensive understanding of the critical assets at risk from cyber-attacks.

Digital technology has revolutionised modern business, with a rate of innovation present in many companies that arguably eclipses that of the industrial revolution. The huge opportunities presented by technology mean that many firms have rushed to digitalise their offerings; but while this means they are able to take advantage  of the latest trends, it has also opened innumerable doors for cyber-criminals looking to use technology to loot corporations from across the globe.

Illustrating the extent to which cyber-crime has boomed in the last decade, in the final quarter of 2018, a study commissioned by Bromium and presented by Dr. Michael McGuire at RSA found that the cyber-crime economy has grown to an estimated $1.5 trillion dollars annually. That is only a conservative estimate – but that conservative figure alone is so large that if it constituted a national GDP, instead of a collection of digital frauds, it would be the world’s 13th largest economy.

Amid this state of play, it is easy to see why cyber-security has become one of the key watchwords of any board room in the 21st century. The cyber-security consulting segment has boomed, with the world’s 10 largest operators in the segment bringing in more than $11 billion in related fees, as businesses tap external expertise to help find areas where they can improve their defences. As noted by a new UK Government report, the legacy of this spike in consulting activity is that almost all UK businesses now have a cyber-security strategy, with only 4% admitting otherwise. 

Cyber threats are increasingly seen as high risk in comparison to other risks that businesses face

This comes at the end of a sea-change in attitudes toward cyber-security over the last five years. According to the 2018 FTSE 350 Cyber Governance Health Check, in 2013, the largest minority of businesses felt cyber-threats represented a low operational risk, at 38%, compared to just 25% who saw it as a very high group risk. Now, the two opinions have seen a dramatic reversal, with only 6% seeing cyber-security as a low threat, compared to a huge 72% of businesses which see it as a very high risk. Considering the high profile hacks that occurred in the interim, this is perhaps not that surprising.

However, while cyber-awareness in general is at an all-time high, this is where the positive news ends. According to the study, while the vast majority of firms in the UK have a cyber-security plan in place, only 46% have a dedicated budget to enact that strategy. Should their financial positions change rapidly in the near future – something increasingly likely with the prospect of a No Deal Brexit still looming over the horizon – then that plan could fall by the wayside, with the funding shortfall exposing firms to even greater financial damage in the near future.

The study, released by the Department for Digital, Culture, Media & Sport (DCMS) in March 2019, was undertaken in partnership with Winning Moves and support from EY, KPMGPwC and Deloitte, working with their FTSE 350 clients to participate in the survey. The study also found that while most businesses have incident response plans, most are not testing them: 95% of FTSE 350 businesses have an incident response, but a mere 57% test their crisis incident response plans regularly. With companies facing the consistently evolving threat of cyber-attacks, that could leave major chinks in their armour undiscovered until it is too late.

Board understanding of business-critical assets

Similarly, many firms also seem oblivious to the threat posed by their wider supply chains, which if left unchecked, provide hackers with a blank cheque to access company data. A majority of boards do not recognise supply chain risks beyond the first tier, as 77% of FTSE 350 businesses told researchers they did not recognise the risks associated with businesses in the supply chain with whom they have no direct contact.

Meanwhile, almost half of UK boards do not understand the critical assets at risk from cyber-attacks. 54% of businesses in 2018 rated the board’s understanding of critical information, data assets and systems as comprehensive, while of that, only 12% said understanding was the best it could be. This compares to 43% of boards in 2017 and 32% in 2015/16 stating they had a clear understanding, suggesting that key progress is being made, but also that there is a great deal of room for improvement.

Commenting on the findings, Digital Minister Margot James said, “We know that companies are well aware of the risks, but more needs to be done by boards to make sure that they don’t fall victim to a cyber-attack. This report shows that we still have a long way to go but I am also encouraged to see that some improvements are being made. Cyber-security should never be an add-on for businesses and I would urge all executives to work with the National Cyber Security Centre and take up the government’s advice and training that’s available.”