• United States




Humans are the weak link: Security awareness & education still a challenge for UK companies

News Analysis
Aug 14, 20193 mins
IT LeadershipIT Training 

A new CSO study of UK organisations suggests human-centric security is a major priority.

CSO > Weak/broken link
Credit: HometownCD / Getty Images

Leading CSOs realise that blaming people for falling victim to phishing attacks, losing devices, or otherwise causing a security incident isn’t beneficial.

People who fear reprisal are less likely to come to security when there is a problem, most of which could have been avoided with better controls and training. Despite this, companies seemingly still see people as the weak link, according to a new study by CSO.

To coincide with the launch of CSO UK, IDG conducted a survey of 200 IT leaders from major UK enterprises to explore the state of cybersecurity within UK organizations including key threats, main investment areas and what is driving the security agenda within the business. The full results are published our new report, The State of Enterprise Security.

Despite fearing the potential damage fallible humans can cause to a business, security teams recognise reducing that risk requires people-centric solutions as well as technology.

People present a problem and opportunity

Although moving away from blame culture and the idea that people are the problem should be a goal of today’s security teams, most organizations still see employees as a chink in company defenses. A massive 98 percent of respondents agreed with the statement that: ‘The human employee is the weakest link when it comes to cybersecurity’. Over two-thirds agreed with this idea strongly.

Social engineering, phishing, and business email compromise – all attacks which rely on people falling prey to manipulation and trickery – were listed amongst the top threats organizations are most concerned about.

This dim view of the role people play in security likely feeds into why only 13 percent of organizations would rate internal cybersecurity awareness as very good. Also, 40 percent of respondents said awareness was merely adequate, suggesting there is still much work to be done around improving education, raising awareness and reducing people-based risks as a result.

While organizations may still view humans as the problem, security teams also recognize that people-based problems require people-based solutions. 85 percent of the companies surveyed stated they were utilizing awareness training to reduce human error.

GDPR: A more positive effect on the board than scare stories

In the wake of businesses becoming more digitally-enabled and data breaches making headlines on a near-daily basis, communicating the potential risks and benefits of cybersecurity to company leadership is becoming an increasingly important part of the CSO’s role.

Yet there still seem to be a disconnect between reality and perception between CSOs and leadership. Over 60 percent of organizations surveyed agreed that a data breach is almost inevitable, yet just 10 percent said management understand the cybersecurity challenges that their organisation faces ‘very well’. A third of respondents said management do not understand these risks very well, and another four percent said “not well at all”, which can put the organization and the CSO’s position in danger.

However, it seems the European Union and the General Data Protection Regulation (GDPR), despite its detractors, has been beneficial for getting security’s message across more than any scare stories about breaches. Just under 80 percent of respondents said that GDPR had been the main thing to help improve cybersecurity understanding in the board room over the last two years; more than any single security incident, including Wannacry and NotPetya attacks, the Facebook/Cambridge Analytica scandal, or the breaches of either Equifax or the Marriott.

The introduction of GDPR was also deemed to be practically helpful; 70 percent of those surveyed agreed that the regulation’s requirements had improved their organisation’s cybersecurity maturity level.