A shortage of cybersecurity professionals and a lack of organisation-wide training may be exacerbating a lack of cybersecurity skills in many European companies.
More than 70% of companies in the European Union have not taken any steps to train their employees on cybersecurity, or raise awareness of cybersecurity as an issue. This data comes from a new survey by Eurobarometer of companies in 27 EU countries in April and May.
Security breaches are worse than ever
It would appear that, for most organisations, increasing employees’ cybersecurity capabilities would be a top priority. Data breaches and cybersecurity attacks are becoming increasingly common. A survey of more than 500 IT and cybersecurity professionals within UK businesses found that 61% of businesses experienced a cyber breach last year. A quarter of those companies suffered three breaches or more.
Worldwide, the number of data breaches rose by 20% from 2022 to 2023, due to cloud misconfigurations, ransomware attacks, and exploitation of vendor systems. However, while attackers are using more sophisticated tools—like AI deepfakes and Chat-GPT generated phishing emails—humans still remain the best defence against cyberattacks, but also cybersecurity teams’ most glaring weakness.
According to data published in the State of Email and Collaboration Security 2024, 74% of all cybersecurity breaches are down to “human factors”. These include errors, stolen credentials, misuse of access privileges, and social engineering.
Not only is it becoming more likely that breaches occur, but data also suggests that they are wreaking more havoc than ever. A study released in April found that an overwhelming proportion (93%) of breached enterprises reported the consequences of their breaches as “dire”. Fallout commonly included operational downtime and financial losses, as well as reputational damage.
So, why is no one being trained?
The figures only make it more alarming that well over half of all EU companies have made no progress towards improving the overall cyber-readiness of their workforces. Additionally, 68% of the companies surveyed reported thinking that no training or awareness raising about cybersecurity was needed. Another 16% said they were not aware of relevant training opportunities, and 8% said such measures were too costly.
The most common reason cited by organisations not training their staff on cybersecurity is that there doesn’t appear to be anyone who can do the training. Just under half of all respondents (45%) identified their biggest challenge as finding qualified candidates for cybersecurity positions. Almost half (44%) reported having no applicants at all.
Around 20% of companies reported the fact that the continuous training required to keep cyber professionals abreast of industry developments was an obstacle to hiring. A similar number also cited rapidly evolving technology as a challenge to finding qualified workers.
As a result, it appears that, in Europe at least, the cyber skills shortage is driving a lack of cyber awareness across the whole business. It’s also possible that a lack of cybersecurity professionals leads to a lack of training, which then leads to a lack of awareness of a need for better cybersecurity measures. Until there’s a breach, of course.
Things are similar in the UK. According to the British government’s 2023 Cyber Security Breaches Survey report only 18% of businesses said that they’d organised cybersecurity training for their employees in the last year.
Kayne McGladrey, Field CISO, Hyperproof, commented that employers “should provide annual training at the very minimum, supplemented by micro-training modules after policy violations or incidents”.
- Cybersecurity
- People & Culture