A survey conducted by training company QA reveals that eight out of ten (81%) UK IT decision makers experienced some sort of data or cybersecurity breach in their organisation in 2015.  A total of 66% said that the breach had led to a loss of data, 45% said that it had resulted in a loss of revenue, and 42% said that it had resulted in a PR nightmare for the business. Despite this, however, less than a third (27%) plan to invest in cybersecurity technologies next year.

It would also appear that not all organisations have learnt from their experience, with less than half (43%) of IT decision makers saying that the breach had not resulted in a change of policy and procedure.  Perhaps it's not surprising that 40% said they didn't feel confident they had the right balance of cybersecurity skills in their organisation to protect it from threats in 2016.

The biggest threats to corporate security in 2016 include

1.         organised/automated cyberattacks (54%)
2.         compromise through employees, e.g. social engineering (11%)
3.         lack of encrypted data (10%)
4.         employee negligence, e.g. lost laptops or other mobile devices (8%)
5.         not having or enforcing security policies and procedures (6%)

Human error is the second-largest concern (19%) for IT decision makers, with both "compromise through employees" and "employee negligence" both featuring in the top five threats.

Richard Beck, Head of Cybersecurity at QA, said, "One way that organisations can try and limit the impact of a skills shortage in the IT department is to increase staff awareness of cyber-threats.  With a fifth of those surveyed acknowledging that the biggest threat to security next year is likely to be human error, educating staff on how to detect and deter common threats like social engineering or phishing attacks could prove invaluable in helping defend an organisation.

"The research shows that currently only 31% of organisations plan to invest in employee awareness and engagement training.  However, all companies should be teaching employees a 'cybersecurity code' until it becomes instinctive.  CESG, The National Technical Authority for Information Assurance, has a paper entitled '10 steps to cyber security’, which is a really good place to start for this."

 Key Areas for Investment in 2016 - Skills Rather than Technology

When asked about key areas for investment to protect the organisation from cyber-threats in 2016, over two-thirds (70%) of IT decision makers said they plan to invest in hiring qualified cybersecurity professionals in the coming year.  Furthermore, 78% said that they also expected budgets for hiring to increase next year. However, hiring isn't a quick and easy solution.  Over eight out of ten (84%) respondents said that it took on average up to three months to fill a cybersecurity skilled role on their team.  To help address this, 45% say they plan to invest in further training for existing cybersecurity staff and 34% of IT decision makers said they planned to cross-skill/train other IT staff in cybersecurity specialisms.

Richard Beck, went on to say, "It's really interesting to compare and contrast some of these findings.  About 70% of those interviewed said they planned to invest in hiring cybersecurity skilled professionals in 2016.  However, where will these skilled professionals come from?  Everyone is struggling to fill cybersecurity posts on their team, and one organisation's gain will become another organisation's loss.

"It's encouraging, however, to see that there is a growing acknowledgement that by training and cross-skilling existing specialist staff, companies can begin to address the skills gap.  The key to making this approach work will be engaging the HR department to work alongside IT to develop strong staff retention strategies. Those companies that motivate and reward their staff appropriately are far more likely to hold onto their cyber-professionals once they've invested in training them.  Perhaps it is time security professionals shared some of the skills gap responsibility with their colleagues in HR?"

 Where do businesses turn for advice?

When asked which organisations they would go to for advice on increasing capabilities around cybersecurity, the findings show respondents would predominantly turn to the IT sector.  An overwhelming 92% said they would turn to their IT/technology services partner, and almost half (45%) would seek advice from IT vendors.

The top ten places for advice on increasing capabilities around cyber security are

1.         IT/technology services partner (92%)
2.         IT vendors (45%)
3.         security consultant/consultancy (25%)
4.         government bodies (20%)
5.         training organisations (17%)
6.         the Information Commissioner (ICO) (16%)
7.         accrediting body (14%)
8.         peers (14%)
9.         trade and industry associations (14%)
10.       colleagues (9%)

Richard Beck concluded, "It would appear that those responsible for the security of organisations are putting the onus on the technology industry to solve their security issues.  However, this is only one part of the picture when looking to negate the security risk to businesses.

A large majority of high profile breaches comprise a mix of technological know-how and human error.

"It doesn't matter how robust your technology is; you still face an element of risk.  Pretty much every organisation I can think of is cyber-dependent to some degree.  A holistic approach to security risk should ensure staff are educated against ever-increasing cyber-threats. Responsibility for keeping an organisation's data safe reaches into every corner of every business."