UK organisations are overlooking the importance of cyber security staff awareness training, instead investing in expensive and unnecessary technologies, a VMware and Forbes Insight study has found.
The research revealed that 78% of UK businesses are using substandard cyber security solutions, even though 40% have acquired new tools in the past year.
It also found that 74% of respondents plan to invest even more in technologies that detect and identify threats over the next three years, despite already having multiple products that do that. In fact, more than a quarter of respondents said they have 26 or more products designed to do this.
So, why are businesses trapped in this cycle of investing in cyber security solutions they don’t need? And why are they relying on technology instead of allocating some of their resources to staff awareness training?
Organisations can’t spot their weaknesses
The problem can be boiled down to organisations not doing a good enough job of assessing their security threats and how to manage them. Many managers appear to be stuck in a cycle of assuming that technology is the best solution, reasoning that more tools means their organisation will be more secure.
But there’s only so much technology can do. For example, layering one anti-malware solution on top of another will not make an organisation significantly more secure.
The dual tools might combine to alert you to one or two more threats, but that doesn’t make it cost-effective, particularly when there are other weaknesses that your money could be better spent on – like staff awareness training.
Employees handle sensitive information every day and read the inevitable few malicious emails that get past anti-malware technology, so they must be given training to gain the skills to detect threats and prevent costly mistakes.
Thanks to the rise in e-learning training and Live Online options, information security training is more convenient than ever. Employees don’t have to disappear for a day or two to take a course; they can study in their own time and can even do it in the office, ensuring that they’re available should an urgent work issue come up.
Yet many organisations are ignoring this solution while also admitting that their security defences aren’t adequate. Just 16% of survey respondents said they were extremely confident in their ability to address emerging security challenges, and only 14% said they were extremely confident in the skills of their employees.
Same solutions, same results
The one piece of good news from this survey is that senior executives appear to be happy to invest in cyber security solutions. In the past, it had been a battle for employees to make the business case for information security investments, leading to meagre security budgets that had to be spread thinly across the organisation.
Now it seems that management are all too aware of the financial effects of data breaches and are willing to invest heavily. Whether they stick with that strategy when it becomes clear that their spending has proven ineffective remains to be seen, so it’s important for employees to take this chance while they still have it.
Ian Jenkins, VMware’s director of sales, networking and security in the UK and Ireland, explains the approach organisations should be taking:
Breaches are inevitable, but how fast and how effectively you can mitigate that threat and protect the continuity of operations is what matters.
Combining this approach with a culture of security awareness and collaboration across all departments is crucial to driving cyber best practice forward, and helping enterprises in the UK and across EMEA stay one step ahead in the world of sophisticated cybercrime.
Creating a culture of security is obviously easier said than done, but organisations that commit to it will see that it’s much more cost-effective than simply relying on technology.
Different solutions, different results
A successful security culture begins with ISO 27001, the international standard describing the specifications for an ISMS (information security management system).
An ISMS is a central framework that helps you manage, monitor and review the security practices of people, processes and technology.
It’s designed to help organisations bolster their information security practices while optimising costs. It’s technology- and vendor-neutral, and is applicable to all organisations, irrespective of their size or sector.
IT Governance offers several training courses to help you understand and implement ISO 27001. Those looking for a better understanding of what the Standard covers and how it can be applied to their organisation should take a look at our Certified ISO 27001 ISMS Foundation Training Course.
Designed by the team that led the world’s first ISO 27001 implementation project and delivered by an experienced information security expert, this one-day course is a primer on the technical aspects of the Standard and gives you the opportunity to participate in group discussions and practical exercises.
Those who are aware of the Standard and want to build on their knowledge might prefer one of our other courses:
- Certified ISO 27001 ISMS Internal Auditor Training Course
- Certified ISO 27001 ISMS Lead Implementer Training Course
- Certified ISO 27001 ISMS Lead Auditor Training Course
- Certified ISO 27005 ISMS Risk Management Training Course
- Certified ISO 27701 PIMS Lead Implementer Live Online Training Course
Join our Rewards Club
We’ve made it easier and more cost-effective to study with IT Governance, thanks to our Rewards Club.
Members receive a 25% discount on training courses for life, and if you book before the end of November, you’ll also receive a £30 e-book voucher to spend on anything in our webshop. A title that our readers might enjoy is EU GDPR: A Pocket Guide, by Alan Calder.