The Facts & Figures of failing cyber security over the last year
For so long the need to improve cyber security awareness and skills has been drilled into workers heads, so why is it still not happening and instead incident figures are rising?
Cyber-attacks took over the news headlines in 2017, but despite the concerning coverage there is still a lack of awareness and ability to tackle and prevent the incidents.
Research from various companies continues to point out that workers are not educated enough in cyber security, lacking valuable skills and preventing proper protection from attacks. Despite plans put in place to overcome these barriers, such as a £20m cyber security programme, numbers continue to grow instead of diminish.
Not even half of workers within organisations have the necessary cyber security skills, a report from Capgemini has found.
In total only 43% of workers within organisations have the required cyber security skills for their jobs, which equates to a 25% difference to the demand that needs to be achieved. The report revealed that lack of cyber security skills were the worse among companies, with gap between demands and actual for innovation only at 21% and 13% for analytics skills.
“The cyber security skills gap has a very real effect on organizations in every sector,” says Mike Turner, Chief Operating Officer of Capgemini’s Cyber security Global Service Line. “Spending months rather than weeks looking for suitable candidates is not only inefficient it also leaves organizations dangerously exposed to rising incidents of cybercrime. Business leaders must urgently rethink how they recruit and retain talent, particularly if they wish to maximize the benefits from investment in digital transformation.”
Capgemini’s report expects the demand for cyber security skills to only increase in the coming years, therefore company’s must invest in developing the skills. The report recommended four options including reskilling existing workers, integrating security by design, retention by incentive and thinking outside the box when hiring.
Governments are not exempt
Local governments also fall short when it comes to cyber security awareness and training, with research finding substantial figures against the organisations.
Data collected from campaign group Big Brother Watch found that local governments across Britain were hit by almost 100m cyber-attacks, in the last year alone. Of those councils that were attached one in four were successfully breached.
The research recorded by the Watch found the incidents equated to 37 cyber-attacks per minute. From the respondents, a total of 29% reported at least one cyber security incident defined as an actual breach of their systems. The local councils of Tonbridge and Malling reported the most attacks, totalling at 62 incidents.
Worsening the problem, the research revealed that despite the number of cyber-attacks 56% of local councils admitted to not having reported incidents. Additionally, three quarters revealed they do not provide mandatory training for cyber security with 16% providing no training at all. However the government has attempted to tackle the problem with a cyber security training programme.
“Considering that the majority of successful cyber-attacks start with phishing emails aimed at unwitting staff, negligence in staff training is very concerning and only indicative of the low priority afforded to cyber security issues,” the group said.
A study from McAfee found that two thirds of online users, equating to two billion indviduals, have had their personal information stolen or compromised since 2014. The study was carried out in partnership with Centre for Strategic and International Studies (CSIS).
The research found that the theft of intellectual property accounts for at least a quarter of the costs of cybercrime. Financially, the personal information stolen equated to damages totalling almost $600bn, a staggering increase of $150bn since 2014.
McAfee has said that the cyber-crime world has become much more efficient, with elements such as Bitcoin allowing actors from easy identification. Therefore the security company believes it is essential that organisations work as a team to bring together people and technology.
“Businesses often struggle to remain vigilant against threats because they have too many tools operating in silo at once – and failing to communicate with each other,” Raj Samani, chief scientist and fellow at McAfee, said.
“By making sure that tools can work together and removing siloed security teams, organisations can find the right combination of people, process and technology to effectively protect data, detect threats and, when targeted, rapidly correct systems. This will be key to keeping pace with criminals’ rapid adoption of new technologies, an expanding number of cybercrime “centres” and the growth of cybercrime-as-a-service.”
Daily Security Alerts
Cisco recently released its 11th annual cyber security report, surveying 3,600 Chief Security Officers and SecOps managers from 26 counties about the condition of cyber security within their organisation.
The survey found that almost a fifth (17%) of organisations identified somewhere between 250,000 and 500,000 security alerts per day in 2017. In financial terms, over half of the attacks numerically equated to damages of over $500k lost in revenue, customers, opportunities as well as out of pocket costs.
Last year’s evolution of malware shows adversaries are becoming wiser at exploiting undefended gaps in security,” said John N. Stewart, Senior Vice President and Chief Security and Trust Officer, Cisco. “Like never before, defenders need to make strategic security improvements, technology investments, and incorporate best practices to reduce exposure to emerging risks.”
Organisations said that they are investing in more technology, such as automation (39%), machine learning (34%) and AI (32%). However, despite the investments a lot of organisations still create chances themselves to be hacked by the number of vendors they host. Cisco found that a quarter of businesses could be using products from up to 20 vendors, compared to 18% in 2016. This substantial amount of products could lead to cyber-attacks, with so many platforms to securely manage.
Not Learning From the Past
The Department of Health carried out research into NHS Trusts, following the massacre of WannaCry in 2017, to ensure the same thing did not happen again.
However, unpleasantly the results significantly differed from what was hoped for. The department’s findings revealed that all 200 NHS Trusts failed cyber security assessments, despite the impact of WannaCry and enhanced security measures since.
Raj Samani, Chief Scientist and Fellow at McAfee, said: “As this news shows, due to the severe and rapidly evolving threat it faces, it is hard for the NHS to update its security processes fast enough.
“However, the healthcare industry cannot accept defeat. Instead, it must work with security vendors and other public sector organisations to share resources and threat intelligence to more effectively combat the growing rate of cybercrime. Only once this is in place can organisations take a more strategic approach to their defences and bring us one step closer to finding those responsible.”
The NHS has been putting more plans in place to reduce the number of cyber-attacks, such as partnering with Microsoft for a cyber-security plan but only time will tell if it pays off.