New findings from recently published Government research, suggests that half of UK businesses lack the most basic cyber security skills, exposing organisations to potential security breaches – 3 years on from the EU General Data Protection Regulation (GDPR).
Commissioned by the Department for Digital, Culture, Media & Sport and conducted by Ipsos Mori the research highlights the extent of skills shortages. In the report the most basic technical skills, as defined by Government backed Cyber Essentials, all relate to activities primarily designed to protect digital systems from security breaches;
- Securely storing or transferring personal data.
- Detecting and removing malware (from devices)
- Creating back ups
- Setting up configured firewalls
- Controlling who has admin rights (Access Control)
- Restricting software running on devices
- Choosing secure settings
- Setting up automatic updates (patch management)
Does this sound familiar? It may well do, as according to the report, if extrapolated out, half of UK businesses in 2021 have basic technical skills gaps, undoubtedly hindering companies achieving their business goals.
Where technical skills gaps are particularly high, both in existing personnel and among job applicants, are in areas such as information risk management, auditing, threat intelligence and governance, security architecture and forensics - just some of the known global skills shortages.
It’s not just down to the IT department to be concerned with cyber security though, HR must take a strategic role. HR needs to have a hand in shaping policies which underpin governance, regulation and compliance, ensuring the right level of awareness and skills are in place to defend business interests.
Let’s begin with understanding your business’s approach to the protection of it’s IT and ultimately the precious cargo of data it stores.
When was cyber resilience last reviewed in your organisation? Was HR involved?
Being cyber resilient is even more important with hybrid and remote working practices. Organisations need to be able to prepare for, respond to and recover from cyber attacks and security breaches. Successful cyber resilience requires a strategic approach, one which is people focused.
Understand what the consequences of a breach are for your business and ensure your existing policies align with your findings before sharing with your people.
Consider the procurement of outsourced skills to carry out cyber risk assessments, if you don't have the internal capabilities.
Put in place resources needed to make the management of any identified risks effective.
If your organisation has to meet industry or legal standards you will no doubt already have tailored policies and procedures in place to support cyber resilience, check they still meet purpose and further strengthen if necessary.
More importantly are your people engaged with your policies on a continuous basis? and have a clear understanding of their responsibilities.
Boost training and awareness …
Regardless of the size and nature of your organisation adopting good practice in Cyber Security has the potential to sharpen your competitive advantage whilst protecting your organisation’s reputation so making investment in cyber skills makes great commercial sense, whether that’s inhouse or outsourced.
In the report only a quarter of the businesses polled sent their people in cyber roles on relevant training in the last year, dropping to a meagre 10% for wider staff on Cyber Security Training.
There’s a strong case, as it becomes increasingly difficult to recruit cyber skills, for businesses to build capability from within. Investing in people by upskilling them not only develops the precise talent your business needs it enhances your value proposition as an employer and boosts employee loyalty.
…. For everyone
It’s no secret IT systems are vulnerable to attack, but most cyber breaches are down to humans as they go about their daily business. In plain terms the biggest threat is already inside your organisation. As a priority equip your employees with the key skills to identify possible threats on a day to day basis.
Create a Cyber Security training plan to include all staff - Every employee, up, down and side to side of the organisation chart needs enough knowledge to understand how cyber security impacts their area.
Help your employees understand what security risks are attached to their actions and what it means for your organisation. Cyber Security is an area all the people in the organisation should care about. Employees need to be willing to share accountability for their actions.
Be clear in your communication, and never assume that people know what the evolving threat terms are, explain what definitions are in crystal clear language. Increase your workforce’s confidence in being able to identify possible threats such as phishing, malware and ransomware.
An easy starting point could be deploying Phishing education, when to click and when not? Help your people to know when not to reply to seemingly innocent emails and to recognise the characteristics of phishing scams such as suspicious links, spelling mistakes and dodgy salutations. Deploying a continuous phishing education programme helps the organisation identify skills gaps and lapses in caution.
Use a different communication platform to confirm a request for sensitive data by calling rather that responding on the same platform. Security shouldn’t get in the way of getting their jobs done, however strong authentication measures like MFA (multi-factor authentication) to access services should be non-negotiable. Simple and easy always helps adoption of such measures.
What would we recommend?
- Demand the use of separate complex passwords avoiding simple, predictable passwords such as family and pet names, information probably already out there with social media.
- Insist the use of a password vault like Keeper Password Manager to store passwords securely and ensure complexity.
- Maintain regular and mandatory phishing testing and education to reinforce your cyber values.
Data breach response
Foster trust by designing communication strategies that help people feel confident bringing vulnerabilities to attention. Do they know who to report attacks and potential breaches to within the business and how quickly?
Will their reporting of threats be valued or rewarded?
Promote openness .. Often mistakes are made at times of great stress.
New people in your organisation
At recruitment stage look for desirable characteristics. How do they think? What is their value system, does this align with the integrity of your organisation?
Pay particular attention to vetting the authenticity of any accreditations and experience applicants say they hold, a screening provider will do this quickly.
Write Cyber roles into job descriptions – so they know exactly what is expected from them.
Re-emphasize your Cyber values during the onboarding process.
Increase your Cyber resilience today, and ask us about our…
- Phishing Education
- Password Manager solutions
- Cyber Essentials Certification
- Penetration testing
- Cyber Security Managed service