63 per cent of UK businesses believe that they are highly protected against external cyber threats, and 66 per cent state that they have the right processes in place to react to such attacks - but employees' low cyber knowledge is a danger of its own.
The survey, by Willis Towers Watson (WTW), tallies with other findings by companies such as Juniper Research, which said that SMEs are particularly at risk of suffering a data breach; and Experian, which found that SMEs dramatically underestimate the cost of these breaches, as reported by V3's sister site, Computing.
WTW believes that the disparity between the feeling of preparedness and the increasing number of cyberattacks could be down to a lack of responsibility or accountability among employees. Again, this is backed up by other research; Relay42 recently found that CMOs are largely unprepared for the GDPR, because only 4 per cent believe that it is in their remit. UK employees said that the biggest barrier to effective cyber management in their organisations was ‘insufficient understanding' (61 per cent); Almost half (46 per cent) spent less than 30 minutes on cyber training throughout 2016, and 27 per cent received none at all.
Of those employees that did complete some cyber training, 62 per cent said that they only did it because it was required; and 44 per cent felt that opening any email on their work computer was safe.
Social engineering is one of the most widespread forms of cyber-attack. Marcin Kleczynski, CEO of Malwarebytes, told us, "You can find these EternalBlue exploits all day long, and it's brilliant, because you then get this code to run on a machine connected to the internet without the user even doing anything; that is one of the most sophisticated attacks and Microsoft will pay half a million dollars for [it]; or you can just email a bunch of people, have them click a link and enable some content in a document. It's easier." He also revealed that even people inside Malwarebytes had been caught out by a fake phishing email that the company had sent around internally - mostly in the sales, finance and marketing departments.
Anthony Dagostino, head of global cyber risk at WTW, said: "[T]he opening of just one suspicious email containing a harmful link or attachment can lead to a company-wide event. However, there appears to be a disconnect between executive priorities around data protection and the need to invest in a cyber-savvy workforce through training, incentives and talent management strategies."
Despite the above, over 40 per cent of employers felt that they had ‘made progress' in addressing cybersecurity factors related to human error and behaviours in the last three years.
One of the most oft-repeated conclusions that we heard at InfoSec this week was that digital walls are no longer sufficient to protect corporations; they must invest in increasing their employees' cyber knowledge, as well.
Costs associated with minimising cyber risks will continue to rise as technology evolves. While there is a heavy emphasis on technology, WTW found that more than 70 per cent of organisations plan to prioritise ‘human capital' solutions and improvement of operating procedures over the next three years.
Computing's Enterprise Security and Risk Management Summit 2017 will be held 23rd November at the Tower Bridge Hilton.
Microsoft claims Check Point's methodology is all wrong - figure more like five million, not 250 million
Microsoft's explanation still raises as many questions as it answers
Wikileaks dumps info on 'Brutal Kangeroo', the CIA's malware toolkit for hacking 'air-gapped' networks
CIA's Brutal Kangeroo malware suite likened to Stuxnet
Commuters less than chuffed - many fined for not having a ticket