UK Cybersecurity Skills Gap Persists – Especially for Cloud

A quarter of British organizations said that they don’t have the knowledge to manage virtual security deployments, with 52% stating this is down to a lack of training or having the funds available to train
A quarter of British organizations said that they don’t have the knowledge to manage virtual security deployments, with 52% stating this is down to a lack of training or having the funds available to train

A survey from PwC has revealed that 53% of UK and global companies are not equipped to deal with cyber-attacks, despite 58% indicating that they faced “substantial or critical” cybersecurity risks. The report also highlighted the wide gap that remains between this knowledge and what many are able to do about it – only 12% of companies admitted they had a formal process for assessing technology-related risks to their company. The survey also noted the need for formal processes to assess technology-related risks, and for the current knowledge gap on cybersecurity to be addressed. 

PwC’s assessment echoes the sentiments from UK Defence Secretary Phillip Hammond earlier this month who announced government plans to bolster UK cyber-defences. Hammond has declared that the UK will recruit a cyber-army of hundreds as military cyber reservists. "People think of military as land, sea and air," he told the Mail. "We long ago recognized a fourth domain – space. Now there’s a fifth – cyber. This is the new frontier of defense. For years, we have been building a defensive capability to protect ourselves against these cyber-attacks. That is no longer enough."

Peter Armstrong, director of cybersecurity at Thales UK, said that public-sector investment aside, companies must continually assess their defense capabilities and employ best-practice cyber-maturity models to center on continuous policy evaluation and adaptation. But the main thing is finding and maintaining the right skills sets.

“Both private and public sector organizations should also hire and maintain qualified cyber-employees,” he said in a comment to Infosecurity. “Educating staff both on a companies’ own security policies and procedures, as well as industry best practice and regulatory standards, will greatly reduce the risk of an incident resulting from poor or lack of education.”

The move of enterprise communications to the cloud in particular is causing a notable skills gap according to new research. Trend Micro has in fact found that a quarter (25%) of British organizations said that they don’t have the knowledge to manage virtual security deployments, with 52% stating this is down to a lack of training or having the funds available to train.

British businesses are also demonstrating a lack of understanding over where the responsibility of the security of their virtual machines actually lies, the study concluded. One in four (25%) organizations have their virtual infrastructure hosted in a third-party data center, while 33% have it hosted both on premises and in a data center, which is leading to a lack of clarity over who is responsible for information security. Encouragingly, the majority (41%) understand that responsibility for securing these virtual machines lies with both the organization and the data center provider. However, almost a third of respondents think that the responsibility lies solely with the data center provider, meaning they’re trying to wash their hands of the problem.

“Ultimately the responsibility lies with organizations to provide their staff with the training and support necessary to ensure business data is safe,” said Michael Darlington, technical director at Trend Micro, in a statement. “Without this investment, we will see businesses continue to struggle to secure their virtual networks, leaving themselves open to the risk of cyber-attacks.”

When searching for a security solution for their virtual environments, worryingly the majority of UK businesses (70%) are prioritizing cost over the solution’s effectiveness at detecting and stopping threats. The ease of deployment and management of the solutions is the next priority (62%), with effectiveness at keeping the infrastructure secure coming in at third in the list of priorities.

“Given that third party hosting of virtual machines isn’t exactly a new concept, it’s surprising that UK organizations are still unsure over where responsibility lies with managing the security of these devices,” said Darlington. “We need to look at introducing industry-wide guidelines to provide businesses with clarity here, ensuring that they are working with data center managers to protect their virtual assets in the best possible way.”

In the “win” column, promisingly, almost two-thirds (64%) of security professionals want to improve their skills in securing virtual environments to address this knowledge gap. And two-thirds (65%) of IT decision makers want to see their organizations boost investment in training to help them develop to skills required to better secure virtual environments.

At an industry level, 57% of British businesses want to see virtual security guidelines put in to help organizations understand best practice. Additionally, over half of UK businesses are seeking more guidance from vendors when it comes to securing virtual environments.

“Trend research from earlier this year revealed an alarming number of British businesses are struggling to keep their virtual systems secure and our latest report finds that a lack of training and education is the main contributor to this issue,” said Darlington. “However, it is promising that security professionals recognize the problem and are demanding investment in up-skilling to better equip them to manage new, complex IT infrastructures.”

There are also a number of IT administered employee controls that organizations can consider, including network monitoring technology which alerts the necessary parties when rogue devices connect to the network to either infect a corporate IT system.

“The statistics show that there is clearly a high level of naivety in the market – but the consequences of cyber-attacks are now so severe that cyber defense must become a board room discussion where companies explore what measures need to be put into place to ensure they are acting proactively – not reactively,” Thales’ Armstrong said.

What’s Hot on Infosecurity Magazine?