Half of businesses lack basic cybersecurity skills, government warns

Employers urged to introduce targeted training as DCMS report finds many firms are not confident storing personal data, creating firewalls or detecting malware

Half of UK businesses lack the most basic cybersecurity skills, new government research has revealed, prompting urgent calls for employers to take action. 

The research, conducted by Ipsos Mori on behalf of the Department for Digital, Culture, Media and Sport (DCMS), found 50 per cent of the 965 businesses polled “lacked the confidence” to carry out at least one of a series of basic technical tasks.

These included almost a third (31 per cent) of companies that said they were not confident storing or transferring personal data; a quarter (25 per cent) that were not confident setting up firewalls; and a fifth (20 per cent) that cited detecting and removing malware as an issue.

If extrapolated across the UK, this would mean some 680,000 businesses currently lack the basic cybersecurity skills needed to protect themselves against common online threats.

Other ‘basic’ skills – as defined by the government’s Cyber Essentials Scheme – that some organisations lacked included restricting the software that runs on company devices, choosing secure settings, setting up automatic updates, controlling who has admin privileges and creating back-ups.

Kevin Whelan, chief research officer at cybersecurity services firm Tiberium, said HR had a crucial part to play in ensuring their organisations were secure by “helping to shape and implement policy but also by educating and supporting the workforce”.

Get more HR and employment law news like this delivered straight to your inbox every day – sign up to People Management’s PM Daily newsletter

He said that, when it came to recruitment, a basic knowledge of cybersecurity should be expected from potential employees – although this would vary according to industry – and that targeted training with specific industry use cases during onboarding should be implemented and followed up throughout the employee lifecycle, with continuous awareness training, testing and reward schemes.

Whelan also encouraged HR professionals to avoid fostering a blame culture and to instead develop a learning culture within their organisation.

The government report concluded that these skills gaps were “often exacerbated by perceptions gaps among key decision makers”, including management boards; IT teams that lacked an appreciation for cybersecurity; hiring managers that may not be working as effectively as they could with HR staff; and recruitment agents.

“There are also structural barriers, particularly for smaller cyber firms, which may find it hard to implement structured training programmes, or take on apprentices or other entry-level staff,” it continued, adding that despite the findings the overall outlook was positive.

“The changes brought about by Covid-19 raise new opportunities to engage senior managers on cybersecurity issues, look at innovative training solutions and broaden recruitment practices to reach an enlarged talent pool,” the report concluded.

In March, the government’s Cyber Security Breaches Survey 2021 showed two in five (39 per cent) UK businesses had experienced cybersecurity breaches or attacks over the past year, costing each firm on average £8,460 (rising to £13,400 for medium to large businesses).

The survey also found only 18 per cent of businesses had a cybersecurity policy on how to use personal devices at work, with less than a quarter (23 per cent) having a cybersecurity policy covering home working, raising concerns the pandemic was putting firms at even greater risk of cyber attacks.

The most common breaches or attacks were phishing emails, followed by instances of others impersonating their organisation online, viruses or other malware including ransomware.