The high-profile data breaches of the last couple of years are well documented. The 2017 Wannacry attack on the NHS is perhaps the starkest reminder of the real-world impact cyber aggressors can have. But calling it a reminder might be generous. We’re assuming that we already fully appreciate the importance of data protection and the risks associated with cyber attacks. The extent to which businesses understand the weight of data protection, and their level of preparedness for meeting this growing challenge is vitally important to the UK economy. Two recent Ipsos MORI studies for the Department for Digital, Culture, Media and Sport (DCMS) – the Cyber Security Breaches Survey 2019 and the UK cyber security skills labour market study – shed light on this issue.
On the face of it, businesses do understand the importance of data protection. In fact, data protection is seen as a fundamental driver of investment in cyber security. Among businesses that do invest in this area, over half (54%) say the main reason they do so is to protect customer data. This research came after the introduction of the General Data Protection Regulation GDPR in May 2018, and evidently data protection concerns and rules are increasingly drivers of business action.
This understanding is also shared by those working in cyber roles within businesses. When people in these roles were asked about the skills that were important for working in cyber security, 45% said that “understanding the legal or compliance issues affecting cyber security, such as data protection” was an essential aspect of their cyber role – more than any of the other skills and knowledge areas mentioned in our survey. Again, we shouldn’t underestimate the impact that GDPR has had here.
So businesses talk-the-talk when it comes to their customers’ data protection, but the question remains of whether they walk-the-walk. They see the importance of protecting their customers’ personal information but do they have the technical knowledge and skills to do this?
This is perhaps where more work is needed – to build the cyber security skills and knowledge currently embedded within our businesses. Businesses’ confidence in their ability to handle personal data securely is maybe not as strong as it should be. Two-thirds (65%) of people in cyber roles across all types of businesses – this also includes micro and small businesses – reported feeling very or fairly confident in their ability to “store or transfer personal data in a secure way”. That leaves a notable third (33%) who do not feel confident in their ability to protect personal data (and the remainder say they don’t know). There is also an apparent skills gap in businesses’ ability to respond to cyber security incidents. Our survey indicates that only half (51%) of businesses feel confident in their ability to deal with a cyber breach.
This isn’t just about basic technical skills. Skills gaps are also evident in advanced and highly technical areas like penetration testing, threat intelligence and forensic analysis. For example, just 39% of the businesses that felt they required these kinds of skills are confident in their ability to carry out a penetration test (a process for ensuring systems can withstand attacks and highlighting any potential weaknesses in cyber defences). A similarly low proportion (38%) are confident in their ability to carry out forensic analysis of a breach. Our qualitative work also highlighted potential future cyber skills needs that are currently unmet, like the need to have a bigger pool of people knowledgeable in artificial intelligence and machine learning. These skills gaps may cause some concern about businesses’ ability to protect us from more sophisticated cyber attacks, of the likes of Wannacry, that can significantly impact on our economy. It’s worth noting at this stage that the issue crosses borders and other developed economies are similarly concerned about the skills gaps in their workforces.
But how likely, really, are these organisations to be targeted by malicious actors or suffer a breach? Three in ten (32%) businesses experienced a breach in the last 12 months according to the Cyber Security Breaches Survey 2019. This figure is higher when looking at medium (60%) or large-sized organisations (61%). The threat is real, and currently businesses may lack the capacity and skills to deal with it.
It’s worth noting that the UK Government is carrying out lots of work in this area, to help the economy build the kinds of cyber skills capabilities we will need. Things like the Cyber Security Immediate Impact Fund offers grants to organisations who fill skills gaps today. And for the longer term, there are efforts across Government to formalise the cyber security sector and train the specialists of the future, through things like cyber security apprenticeships and the CyberFirst scheme targeted at 11-17 year olds. Right now, businesses can also consult the Government’s 10 Steps to Cyber Security guidance, Cyber Aware and Cyber Essentials materials.
So there is a will to move in the right direction, and ensure that businesses have the tools and the expertise to be cyber secure. There is also an important and justifiable focus on both current needs and the long-term – the cyber skills needed for the future. Meeting the more immediate need for businesses is a big challenge, and something that all businesses need to consider very carefully. The current Government initiatives in place will be important in supporting businesses to meet their need. But it’s important for businesses to act immediately.
In today’s world, it’s no longer enough to think that cyber security is important. It’s what you’re doing about it that matters.