Cyber Security has been identified by both the UK Government and European Union as the single greatest threat to many businesses. It is estimated that cyber attacks have cost global business in excess of $400 billion in 2015, with 8 in 10 large companies falling victim to cyber crime.
The fact that both the volume of cyber crime and the financial impact of that crime has risen significantly each year since 2008 acts as clear proof that existing systems are not working. Most organisations now have competent and qualified cyber security staff in place and we are increasingly aware of the critical infrastructure requirements supported by excellent schemes such as Cyber Essentials. Therefore, the question remains, why do we continue to struggle to cope with cyber crime? The response is clear:
Research indicates that as few as 10% of cyber attacks are actually a result of infrastructure inadequacies. The primary cause of cyber security breaches within a business environment is human error, most frequently caused by a lack of general cyber security awareness and the confidence to respond. Cyber crime adapts at a far greater rate than existing training and awareness programmes.
We have developed a culture in which responsibility for cyber security awareness and education has been limited to specific individuals within IT and network security positions. As a result, most companies have a significant lack of understanding and acceptance of responsibility throughout the wider workforce.
Increasing levels of remote and mobile working reduce the ability for companies to manage the cyber threat as effectively, yet little or nothing is done to increase awareness to the average system user. For those companies with cyber security awareness programmes in place, few if any have a robust metric for testing understanding and competence. Individuals receive no recognition for increasing their cyber awareness skill set, therefore personal buy in to cyber security at work is often minimal.