Cyber security remains one of the most challenging issues for business owners – large and small. And it seems data breaches cost UK enterprises an average of $3.88million per breach – according to IBM.
And considering much of the global workforce is now remote, it has never been more important for employees to be cyber aware.
Specops Software recently found that Clickjacking is the most common form of hacking in education at 66%. Whilst Phishing was extremely prevalent among other key industries at 71%.
This prompted Specops Software to investigate the industries without sufficient cyber security training by surveying 1,342 businesses across 11 sectors across the UK.
|Business Sector||% of businesses that have not sufficiently trained employees against cyber threats|
|Travel and Hospitality||84%|
|Education and Training||69%|
|Marketing, Advertising and PR||47%|
|Medical and Health||42%|
|Creative Arts and Design||37%|
|Computer and IT||30%|
|Charity and Voluntary Work||29%|
|Accountancy, Banking and Finance||23%|
|Recruitment and HR||19%|
On average, just 41% of employees across all sectors surveyed have not been provided adequate cyber security training.
It is perhaps unsurprising that those working in Travel and Hospitality have not been adequately trained against cyber threats (84%). It comes after EasyJet was recently targeted in a serious cyber-attack whereby email addresses and travel details for around 9million customers was breached.
In second place is Education and Training. 69% of respondents who work in this industry claim they have not been trained sufficiently against cyber threats – a worrying statistic as breaches compromise student and staff safety. In fact, cyber attacks have been increasing year-on-year as more instances are reported, with four key reasons attackers target educational institutions: DDoS attacks, Data theft, financial gain, and espionage.
Other key industries that have not provided sufficient training include Marketing, Advertising and PR (47%), Medical and Health (42%) and Charity and Voluntary Work with 29%.
Understandably, the sectors with far more stringent cyber security training processes include Legal Services (16%) and Recruitment and HR (19%).
Specops also sought to find out if the level of cyber security training had changed since the beginning of COVID-19.
Out of the 1,342 respondents, the results revealed the following:
- I have been trained a lot more since COVID-19 – 21%
- I have been trained a little more since COVID-19 – 37%
- I have not been trained since COVID-19 – 42%
|Business Sector||% of businesses that have since implemented cyber security training sessions since COVID-19|
|Education and Training||76%|
|Medical and Health||65%|
|Computer and IT||39%|
|Travel and Hospitality||37%|
|Creative Arts and Design||22%|
|Charity and Voluntary Work||15%|
|Marketing, Advertising and PR||13%|
|Accountancy, Banking and Finance||10%|
|Recruitment and HR||8%|
Specops Software found on average just 29% of business sectors have initiated additional cyber security training.
94% of respondents claimed it was the responsibility of their company to keep them up to date with cyber security training, whilst 79% could not identify if they were hacked!
To further complement the survey, Specops Software’s Cyber Security Expert Darren James has provided some expertise:
- Why is it important for all employees to be trained?
The fact of the matter is that you can put as many security systems and procedures in place as you wish, but usually the weakest link is always the human being involved. Providing cyber security training is essential. Subjects such as password hygiene, email scam/phishing/malware awareness, social media usage etc. are important and the more attention we can bring to it via training at work, the less likely people in general will fall victim to these crimes.
- Should companies integrate training on a regular basis and how often?
Generally, it’s a good idea to provide basic training to everyone, and to all new employees, so everyone is at least on the same page. Then, it is a good idea to promote awareness through the use of a good password policy, and maybe when IT experience interactions with users e.g. service desk/desktop support etc. provide further reminders where appropriate. Some “high risk” users such as IT admins, HR and finance teams should have regular awareness training.
- What can companies do to ensure training is kept up to date, especially now everyone is working from home?
Working from home represents another challenge when providing training. You can send emails out or put something on an extranet/intranet page, but let’s be honest not many people are going to willingly go and look. Try arranging a “working from home cyber security awareness” call if possible – whether it is per team, or with team managers who can then pass on key information.
Please see the full research here: https://specopssoft.com/blog/uk-business-sectors-lacking-cyber-security-training/