Undertrained employees are organisations’ biggest cyber security weakness

An organisation’s own staff is its biggest cyber security weakness, a new survey from CyberEdge Group claims. The fourth annual Cyberthreat Defence Report, which polled the security industry’s top vendors, found that respondents’ greatest obstacle in establishing effective defences was “low security awareness among employees”. The second biggest obstacle was a “lack of skilled personnel”.

The results are consistent with CyberEdge’s previous three reports, but, for the first time, the survey also questioned organisations specifically about ransomware attacks. Among respondents, 61% said they had been compromised in the past year. Of those affected:

  • 33% paid the ransom and recovered their data
  • 54% refused to pay but successfully recovered their data anyway
  • 13% refused to pay and subsequently lost their data

Among individual countries, the UK was comparatively secure – although ‘comparatively’ is the operative word, as over half (56%) of organisations reported being compromised. Japan was the least affected country (36%) and Mexico was the most affected (88%).

Can’t get the staff

With malicious attacks being so prevalent, having well-trained staff who are aware of security risks is crucial. Respondents to the Cyberthreat Defence Report corroborate this, and yet organisations continue to be breached with alarming regularity and then blame a lack of awareness among employees.

The lack of well-trained staff can partly be explained by the global shortage of skilled IT security personnel. According to the survey, 9 out of 10 respondents indicated that this was the reason for their security deficiencies.

The availability of skilled information security staff is only expected to diminish further, though. A study released last month reported that the gap between the predicted number of available infosec jobs and the number of new recruits is expected to widen to 1.8 million worldwide in the next five years.

Organisations already rely on staff who lack an awareness of how to protect against and respond to cyber threats, and this problem will only be exacerbated unless employers invest in training their staff.

Train staff to mitigate threats

More than three quarters (76%) of UK office workers don’t know what ransomware is and 36% can’t confidently define a phishing attack, according to an ISACA survey from last year. This is despite the fact that both types of threats have been in use for a number of years, and ransomware attacks are increasingly being used in phishing attacks. ISACA estimates that 93% of phishing attacks contain ransomware.

One reason for such widespread ignorance of cyber threats can be found in ISACA’s survey. It claims that more than half of UK office workers say their employers provide no cyber security awareness training.

Awareness of cyber threats is always important, but because ransomware and phishing attacks typically rely on individuals clicking on a malicious link, simply recognising them and how they work can be enough to mitigate the threat.

IT Governance’s Phishing Staff Awareness Course educates staff on the risks of spoof emails, enabling them to spot and avoid phishing campaigns. Using real-life examples and practical tips, the course helps employees become an active part of their company’s cyber security strategy.

Reduce the risk of ransomware infection by enrolling your staff in the Phishing Staff Awareness Course >>