Businesses warned to beware of cyber security traps and ‘false’ infosec training

11 July 2017

BT and KPMG say businesses should beware of falling into traps such as being stuck in the ‘denial’, ‘worry’, ‘false confidence’ or ‘hard lessons’ phases.

While initial investment in technology such as firewalls and antivirus protection is ‘good housekeeping’, firms should avoid throwing money away on IT security products as a knee-jerk reaction, according to a new report from BT and KPMG.

And in separate news, the IISP warns businesses against going down the wrong track in their rush to skill-up through training.

In The cyber security journey – from denial to opportunity report, BT and KPMG say businesses should beware of falling into dangerous traps as they deal with the complexity of securing a digital enterprise.

These include being stuck in ‘denial’ and ‘worry’ phases at one end of the spectrum, and ‘false confidence’ and ‘hard lessons’ at the other end.

According to the report, this is especially true for companies who have matured from the ‘denial’ stage into constant ‘worry’, where investing in the latest technology can be viewed as the silver bullet to the problem. It’s claimed this common mistake can make firms a target not just for cyber criminals but also for “over-zealous” IT salespeople.

“The global scale of the recent ransomware attacks showed the astonishing speed at which even the most unsophisticated of attacks can spread around the world,” says Mark Hughes, CEO, BT Security. “Many organisations could have avoided these attacks by maintaining better standards of cyber hygiene and getting the basics right.”

The report advises businesses to first assess their current controls against best practice, such as the guidance issued by the UK’s National Cyber Security Centre, to help identify any gaps and prioritise essential areas in which to invest.

Furthermore, it says everyone in the organisation from the board down must take responsibility for maintaining high standards of cyber hygiene.

The report adds that businesses must also invest in training and raise awareness amongst staff. It says this can help turn employees from the weakest point in any security chain into every company’s “greatest” asset in the fight to protect data.

But in separate news, the Institute of Information Security Professionals (IISP) is warning companies to invest wisely in cyber security training services with an eye on quality and real benefits.

Following the recent wave of global attacks, the IISP says “inexperienced or narrowly-focused” training providers may jump on the bandwagon, offering courses that don’t provide the skills and techniques needed to prevent and deal with attacks, giving companies a false sense of security and leaving them vulnerable.

“Overwrought” teams will invest in training that provides only top level or “regurgitated” content, warns IISP GM Amanda Finch.

The institute’s general manager Amanda Finch believes that while the move by companies to be more proactive in educating their practitioners and staff about cyber security is certainly very positive, the risk is that “overwrought” teams will invest in training that provides only high level or “regurgitated” content.

She warns that this will not be adequate as it fails to reflect the evolving threat landscape, new technologies, and significant changes in cyber skill profiles and challenges.

Echoing BT and KPMG’s views about employees being the weakest link in IT security, the IISP says more than 80 per cent of security professionals in its recent survey identified ‘people’ as the industry’s biggest challenge, compared to technology and processes.

While this is down to a lack of risk awareness and poor security practices, the institute adds that this ‘people problem’ also includes the skills shortage at a technical level, and the risks from senior business stakeholders making “poor” critical decisions around strategy, budgets and response.