Only 17% of UK firms have trained staff in cyber security over the past year, according to a report released by the government.
The Cyber Security Breaches Survey 2016 found that while it is common for businesses to regularly update software (88%) and malware protections (83%), and to have configured firewalls (85%), it is less common for them to restrict IT access to specific users (77%) or place security controls on company-owned devices (62%).
Just three in 10 (29%) have written cyber security policies, and just one in 10 (10%) have formal incident management processes. Relatively few companies (34%) have rules specifically around personal data encryption.
Breaches of cyber security systems were found to be prevalent, with a quarter (24%) of all businesses having detected one or more breaches in the last 12 months. This was substantially higher among medium firms (51%) and large firms (65%). Large firms were also more frequently targeted, with 25% of those that experienced breaches having suffered this at least once a month.
Steve Hill, director of external engagement at The Open University, said businesses need to recognise that investing in IT infrastructure and retraining staff must go hand in hand. “As the techniques used by hackers to breach networks and servers become more sophisticated companies need to do more than simply update their IT systems,” he said. “Instead they must ensure their employees have the knowledge and skills to maintain best practice and futureproof the company’s defences.”
A separate government report, the 2015/16 Cyber Governance Health Check, has revealed that 54% of board members only hear about cyber security twice a year or when there is a security incident.
Farida Gibbs, CEO and founder of IT recruitment firm Gibbs S3, said the research demonstrates that many decision makers within business are not recognising the serious nature of cyber security threats. “It needs to be discussed on a more regular basis; waiting until the damage has been done is an incredibly risky strategy,” she said. “Cyber security is often perceived as being less business-critical than implementing the latest digital innovations, but as seen by TalkTalk and Ashley Maddison, one severe breach can do incredible damage to a company’s reputation.”
In HR magazine's recent research with DAC Beachcroft on the future of the function, cyber crime was ranked highly as a potential future challenge by HR directors; 30% of those surveyed said disrupted internet developments due to cyber crime could have a significant impact on their business.
