IT security training lacking, survey reveals

IT security training and education is lacking throughout many businesses worldwide, with Australian businesses among the worst culprits.

That is the upshot of a new global report by the Ponemon Institute, which highlighted a range of challenges and issues facing today's cyber security professionals.

The organisation identified various problems with IT security initiatives, including communication roadblocks between departments and a need for more funding.

According to the Ponemon Institute, security intelligence and user education are key elements in bridging cyber security gaps. However, many firms are failing to provide sufficient staff training in this area. 

The data showed 48 per cent of employers do not offer cyber security education to personnel, compared with 47 per cent who do. Just 4 per cent said they planned to begin IT security training within the next 12 months.

In Australia, the figures were even lower, as only 40 per cent were currently educating staff on cyber security risks. This was one of the lowest percentages, with only Brazil registering a worse score (32 per cent) among the countries surveyed.

Hong Kong (57 per cent), Singapore (55 per cent) and India (54 per cent) exhibited the highest levels of IT security training for employees. However, Australia did perform well when it came to tackling risk.

"An effective approach to reducing the risk of a cyber attack is to conduct cyber threat modelling exercises," the institute explained.

"The countries with the highest belief that [this] is essential or very important are India, Australia and the US."

The IT security landscape

Overall, the Ponemon Institute's report – titled Roadblocks, Refresh and Raising the Human Security IQ – noted dissatisfaction among IT security professionals regarding their organisations' protective measures.

Nearly 30 per cent said they would implement a complete overhaul of their current enterprise security system if given the chance, and a further 21 per cent desired mild to moderate amendments.

Advanced persistent threats were the biggest fear for 40 per cent of businesses, while data exfiltration attacks ranked second with 24 per cent of the votes.

Other concerns were website hacking (14 per cent), distributed denial of service attacks (12 per cent) and accidental data breaches (8 per cent).

According to respondents, one of the biggest obstacles preventing cyber security risk procedure improvements was a lack of communication between IT departments and executives.

Almost one third (31 per cent) of security professionals said they never speak to the executive team, with 23 per cent claiming they talk only once a year. A mere 1 per cent said meetings are conducted on a weekly basis.

More funding 'needed'

Among the most common complaints expressed by businesses was a lack of appropriate funding to tackle ever-increasing cyber-security threats.

More than half (52 per cent) of IT security experts argued their organisation does not invest enough money into skilled staff and technologies.

"To deal with the challenging and dynamic threat landscape, organisations need to have the intelligence to anticipate, identify and reduce the threat," the report stated.

However, plans for the future look encouraging, as 49 per cent of businesses are expected to make significant adjustments to cyber security investments over the next 12 months.

Professionals claimed the top three events most likely to drive spending on such measures are intellectual property (IP) theft, data breaches involving customer information and loss of revenues due to system downtime.

Insider threats are also common, with 67 per cent of respondents claiming they know a colleague or peer whose company has had confidential data or IP stolen by someone within the organisation.

In Australia, this figure climbed to 88 per cent – significantly higher than the global average.