Almost one in four (38 percent) of cyber security professionals say they struggle with a lack of company-wide training or understanding of cyber security, Cyber Security Hub research has found.
The research, which was conducted from February to May 2023, also found that other top challenges for cyber security professionals included a failure to integrate cyber security into company culture (37 percent) and a lack of budget for cyber security solutions (33 percent).
The accumulation of these challenges means that cyber security teams are left fighting to protect their environment while lacking both monetary and cultural support. With Cyber Security Hub research finding that 84 percent of cyber security professionals said they faced at least one cyber attack in 2022, and one in four reporting that the rate and volume of attacks against their organization had increase in the past year, this is a grim outlook for cyber security teams.
Increasing cyber security understanding and promoting a cyber-secure culture
Research by telecommunications company Verizon has found that 74 percent of all data breaches include a human element. Whether through human error, privilege misuse, the use of stolen credentials or social engineering-based attacks, the importance of properly educating employees cannot be understated.
Cyber Security Hub’s advisory board recently discussed the importance of employee cyber security education and training, and gave key insight and recommendations for how to integrate cyber security into company culture.
One member expressed that companies “need to move away from the idea that cyber security is a support function for businesses and make it a priority across the board”, explaining that as cyber security teams will never be able to ‘truly’ solve security concerns, this must be accepted and instesd the focus should be on fostering a positive cyber culture.
Another member added to this, noting that all cyber security professionals face the same challenges in embedding a cyber secure culture: “The differences in cultures across an organization poses difficulties for a catch-all solution. We need to push this cultural shift to the highest levels of governance in our organizations including senior management where it remains a struggle. Things like phishing campaign emails are simply not enough. Our greatest defense against cyber threats is a well-educated workforce and we must strive for cyber maturity.”
CISO at Aston Martin, Robin Smith, notes that a pro-social approach to cyber security can help employees across a business better understand the importance of cyber security and the role they play in it. Pro-social is a psychological term which refers to something that is intended to help or benefit an individual or group.
For cyber security training, pro-social cyber security saw Aston Martin put “a greater focus on design to delivery on the needs of staff, understanding the context for services and aligning the right digital skills solutions to the right audience”.
Smith explained the reason for choosing this approach further: “Ensuring cyber security across services is key to digital transformation. The pro-social design approach enables the building of digital literacy to be focused on need, engaging and helps optimize staff training time…It also illustrates a determination to develop cyber solutions that are adaptive, resilient and able to focus on optimizing security.”
By focusing on providing relatable cyber security training, companies are able to improve overall understanding of cyber security while also increasing the effectiveness of their own company-wide cyber security. This is because it reduces the chance of successful cyber attacks by focusing on the vulnerabilities presented by less cyber-aware individuals.
Winning budget for cyber security solutions
When it comes to winning budget allocation for cyber security solutions, it can be beneficial for cyber security teams to stress the importance of cyber security to stakeholders.
It has been estimated by David Katz, equity analyst with investment banking group Jefferies, that the recent cyber attack against MGM Resorts is costing the company US$4.2 to $8.4 million per day in lost revenue alone. While the cost of MGM’s data breach was heightened due to the company’s sector, research by technology corporation IBM reported in its Cost of a data breach report 2023 that the average data breach costs companies $4.45 million, meaning the cost of even a single cyber security incident can be catastrophic.
If data is stolen during the cyber attack, this can also incur costs – Facebook owner Meta was fined $275 million following an enquiry into a data leak it suffered in April 2021 after it was determined that that the site had not followed its obligations to include data protection by design and default in Facebook’s design.
A Cyber Security Hub advisory board member explained that cyber security teams can push for budget allocation by highlighting the fact that cyber security is not a support function for businesses and instead should be a priority across the board.
Another advisory board member noted that while good cyber security can incur some business costs in the short term, the actual costs of a successful cyber attack can be much more impactful cost-wise.
“Cyber attacks cause significant financial loss when they succeed alongside reputational damage. We need to lead by example and embed a transparent cyber culture. The average cost of a ransomware attack is several millions of dollars but can be compounded further by lawsuits and reputational damage. The costs are colossal,” they shared.
By explaining the true cost of cyber security incidents to its stakeholders, cyber security teams can help gain key buy in.