Closing the cyber security education gap
How a lack of talent, apathy among employees and confusing training is weakening defences
It's been well over a year since a government report estimated 48% of UK businesses had a basic skills gap when it came to cyber security – with those in charge of this critical corporate function lacking the confidence to carry out the kinds of basic tasks set out in the government-endorsed Cyber Essentials scheme, from the National Cyber Security Centre.
So it’s worrying news that 12 months later Vodafone’s cyber security report discovered just a third of UK SMBs said they had a cyber security strategy and basic cyber security protections in place.
Knowledge and talent gaps are still a problem too. While back in 2020 the government report found 64% of cyber firms faced problems with technical cyber security skills gaps among existing staff or job applicants, a recent 2021 Capterra survey looking at cyber security and home working demonstrated a situation that could prove even more critical.
Just 19% of those questioned believed their company had no individual they could contact regarding cyber security breaches – a rise from 11% in 2020 – while a little under 50% admitted they wouldn’t actually know who to contact within their organisation if such a breach occurred.
Javvad Malik, security awareness advocate at KnowBe4 says cyber security should be a joint responsibility between users, IT, and system designers, underpinned by a culture of security across the business.
"The C-Suite needs to actively invest in building this culture not just through security awareness and training, but through setting an example, and ensuring priorities align," he says.
"Cyber security needs to be seen as an investment. Organisations should provide easy to understand and useful information to employees, so they not only practice good cyber security within the office, but also extend it to their personal lives and to their immediate families."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
This view is backed up by further Capterra findings, which showed the number of employees who had received IT security training had risen only fractionally year-on-year, from 20% in 2020 to 22% in 2021, despite the wider security risks faced now from remote working.
Owning your own access security
The key to building strong cloud security and avoiding the risk of vendor lock-in
Such a training gulf has undoubtedly been exacerbated by the pandemic, as well as less IT talent availability due to the government’s changing immigration rules.
Taken together, this means companies are not only battling to ensure their employees understand the appropriate safety precautions while working away from the office, but they are also struggling to find the right cyber security employees to determine the precautions that should be taken and put them in place.
Making cyber security training interesting
Another recent piece of research in the form Mimecast's State of Email Security report also paints a worrying picture. Some seven in 10 of those questioned believed employee behaviours such as poor password hygiene put their companies at risk but only one in five organisations had provided ongoing cyber awareness training, according to the report.
An additional problem can be when people feel disconnected from their training, so any lessons delivered don’t sink in.
To combat this, CISO at Entrust Mark Ruchie, advises: "When delivering security training, make it personal for employees with examples they can envision happening at work and in their home environment. Everything they learn will help them address the cyber threats to their company, to their family, and to themselves including identity theft.
"For example, using real-world examples of where passing data has resulted in a breach to your organisation can really hit home to users."
Online learning and education platform Degreed has just rolled out cyber security training to its global, remote workforce. Director of IT Chris Meekins describes how the key to engagement was making sure that training was interactive, to keep things interesting, while asking for feedback to track employees’ cyber security capabilities and knowledge.
“Polls, quizzes, ranking systems, real-life scenarios, and videos all add to the experience. This was followed up with dedicated phishing training as this is a rising threat," he says.
Another example comes from Canon Europe, which hosts 'Security Thursdays' each week, sharing security-focussed videos or written content.
But Quentyn Taylor, its director of information security, also raises a new concern to consider, saying: "Now that employees can work from different locations again, our current focus is to get them 'security ready' for hybrid working.
"Leaving a laptop in a car or a screen unlocked at a café might seem simple, but it's something none of us has had to think about for over a year."
Many employees still unaware of risks
Some of the biggest threats could actually be the most simple to solve. Recent research from HP Wolf Security found that 46% of office workers admitted to using their work laptop for personal “life admin”, and 30% had let someone else use their work device.
An even starker issue comes through an AT&T survey from March 2021, which discovered one in five employees believe there is no way they could be encouraged to care about cyber security risk.
When you view this alongside the growing cyber security skills, talent and training gap, the future landscape may well be bleak, as Adam Enterkin, SVP EMA at BlackBerry, explains.
"According to the Global Information Security Workforce, the UK is set to have 100,000 empty cyber security jobs by 2022. Security teams are exhausted. Human error will happen. It’s absolutely critical that IT teams focus efforts on ramping up cyber security training courses to ensure we are able to plug this gap."
Amanda Finch, CEO at the Chartered Institute of Information Security, believes this evolving threat landscape means compliance to improve training and knowledge cannot be a box-ticking process.
She calls for an industry-wide emphasis on "flexible and continuous" training that would bring about a genuine understanding of the risks, with organisations focused on both emotional and factual engagement. To succeed, this could mean boiling down training to its relatable basics and communicating how it can keep employees, and their families, safe.
Dr Claudia Natanson, chair of the board of trustees at the UK Cyber Security Council, suggests a key way to future-proof tackling the cyber security education gap, as well as the skills and talent one, is to start much earlier on a solution.
She explained: "Cyber security education certainly lies in formal education, as soon as children start to play digitally it needs to be an integral part.
"Threats are constantly evolving and are increasingly sophisticated, but security principles need to form a firm foundation. Without the fundamentals in place across the board, and continual awareness, we will continue to see that the most effective attacks are often the most simple. Educating for cyber resilience needs to start young, but last a lifetime.
"Once in the workplace, there needs to be ongoing education; a muscle we continually train to keep us cyber strong in our jobs and as a nation, today and tomorrow."
Jonathan Weinberg is a freelance journalist and writer who specialises in technology and business, with a particular interest in the social and economic impact on the future of work and wider society. His passion is for telling stories that show how technology and digital improves our lives for the better, while keeping one eye on the emerging security and privacy dangers. A former national newspaper technology, gadgets and gaming editor for a decade, Jonathan has been bylined in national, consumer and trade publications across print and online, in the UK and the US.