Over half of UK organizations aren’t prepared for a sophisticated cyber-attack, with the chronic shortage of skilled professionals remaining a major problem in the industry, according to a new report from ISACA.
The non-profit professional IT body’s 2015 Global Cybersecurity Status Report breaks out country-specific data and the news doesn’t look good for UK firms.
Almost two-thirds (64%) said they expect their organization to experience a cyber-attack in 2015, but more worryingly only 45% claimed they were prepared for such an eventuality.
Some 30% said explicitly they weren’t prepared while 25% weren’t sure.
Unsurprisingly, 84% said they believed cyber-attacks are amongst the three biggest threats facing organizations today.
Skills shortages in the industry have been a perennial topic for debate for years and the research once again highlighted concerns.
Some 87% of respondents said they thought there was a global shortage of cybersecurity professionals, with 41% claiming that although they were planning to recruit in 2015, they expected it would be difficult to find skilled candidates.
Only 2% said they thought it would be easy to find the right talent to fill information security gaps in the organization.
Part of the problem seems to lie in being able to find the best graduates. In total, 41% of respondents claimed that it’s difficult to identify who has an adequate level of skills and knowledge when recruiting straight from colleges and universities.
This isn’t because there are too many certifications or standards, but rather it’s a matter of choosing the right ones, according to ISACA international vice president, Ramsés Gallego.
“At ISACA, we feel that there’s a need for foundational training, and then a further set of training modules to amplify and expand how to better protect and defend businesses. Standards and frameworks are here to provide guidance but, again, picking the right one – the one that suits the need of your enterprise – is key to success,” he told Infosecurity.
“We believe that a framework which is business-focused, process-driven, results-oriented, and covers the enterprise end-to-end is vital. A framework that understand all aspects of IT security and governance – risk management, auditing, security, value delivery, performance and management – and then factors in employees and third parties, is instrumental for companies around the world.”
Reassuringly, over half of respondents (57%) said they were stepping up security training for staff in 2015, although such programs are often criticized for a box-ticking approach which fails to actively improve the awareness of employees.
Gallego argued that the only way to make such programs relevant is to talk about security in business terms and clearly communicate what’s at stake if IP falls into the wrong hands.
“Businesses should be taking advantage of industry frameworks that empower everyone to understand culture, behavior, ethics, capabilities, etc,” he added.
“It is vital for businesses to know what an employee managing health records, billing information and credit card data knows and what an administrator with privileged access could do – they can then implement the appropriate awareness training with metrics and ‘what if’ situations that clearly indicate that the business repercussions if information is not managed properly.”