Why we need cyber-security literacy across the workforce.
As technology evolves, cyber-security is becoming a bigger challenge for organisations. UK businesses alone faced nearly 146,000 attacks – one every 50 seconds – throughout April to June in 20191. But despite recent growth, as indicated in a government report that valued the UK cyber-security sector at £8.3 billion, the skill gap remains at large.
The Department for Digital, Culture, Media & Sport (DCMS) and Ipsos MORI2 completed a research study which looked at cyber-security awareness and attitudes across UK organisations. Interestingly, it found that hundreds of thousands of staff lack the basic knowledge, understanding and general skills to deal with everyday incident response and cyber-security threats. In fact, not only did it highlight that 48 per cent of UK businesses identified a skill gap, from basic to advanced, but that cyber-security leaders within these said organisations were not confident in performing basic tasks as listed in the government’s Cyber Essentials scheme.
As we look to the future, the presence and use of digital technology will become an intrinsic part of most roles. The rapid emergence of new technologies means there will be a need for a digitally literate workforce. General security awareness will be an implicit requirement and cyber-security “literacy” will be an inescapable part of this. Staff working with technology need to be more threat-aware, able to use basic security controls, make informed decisions and recognise that sensitive data needs to be protected and that they must act accordingly and in their organisation’s interest. As indicated in the report, setting up firewalls, antivirus protection and regularly updating software and devices are basic requirements.
In short, people need to aware of their own responsibility as employees – which itself could prove challenging in the gig economy, where the same person might find themselves working for several employers at once (each with different flavours of security policy and technologies).
However, the breaches we are now seeing suggest there is a long way to go, and that we are in fact, far short of having the cyber-literate workforce that is needed. If not addressed soon, this will have serious consequences in the future. We require more effective, widespread and integrated education to boost everyone’s cyber-security skills and generate societal awareness – not just for a select few. Unfortunately, this is an area that is often overlooked or underserved – even in terms of raising basic awareness, let alone any comprehensive cyber-security literacy, or basic understanding.
For example, the latest Cyber Security Breaches Survey shows that only 37 per cent of UK businesses claim to provide user education or awareness training3. In fact, in most cases, staff awareness and communication activities tend to follow a significant breach or attack, suggesting that these incidents are preventable or would at least be “less severe” if awareness had been raised in the first place. Furthermore, there will be many whose training and awareness efforts will have amounted to little more than sending out related emails, or offering basic box-ticking e-learning, which may succeed in briefly raising awareness but hardly counts as anyone having been trained or left more informed. Despite this worrying result, this is still an improvement compared to previous reports, where fewer than a third of businesses had stated themselves as addressing the issue.
Of course, plugging the skills gap and boosting overall cyber-security awareness should be the sole responsibility of employers. This is a collective issue – it ought to be part of what staff already know, either from their own education or other activities outside the workplace. Everyone needs to understand security risks and compliance needs. As a society, we need to be proficient in tech-talk or security-speak. Boosting awareness can ensure better security for ourselves as individuals.
In the future, government, institutions and industry should make a collective effort to better understand the scope and nature of the cyber-security skills challenge. Ideally, the UK requires a national strategy that not only nurtures a sustainable pipeline of talent, but that creates a “dialogue”, generates awareness and establishes cyber-security literacy for all parties involved.
However, we’re not there yet. In the meantime, businesses should strive to instil positive behaviours in their employees, to generate awareness so staff are always enabled to keep themselves safe and threat aware, both in the workplace and at home.
by Steven Furnell, senior member of the Institute of Electrical and Electronics Engineers (IEEE) and professor of information security at University Plymouth
Image provided by the Institute of Electrical and Electronics Engineers (IEEE)