Employees are the biggest threat to cyber security, says report

Research by IT Governance suggests over half of IT execs believe human error by staff is the biggest cause of data breaches

The number one threat of data loss doesn't come from cyber criminals and hackers - but from businesses' own employees, according to newly released research.

The Boardroom Cyber Watch 2013 report by training and consultancy firm IT Governance suggests that 54 per cent of "senior executives" consulted believe that their own staff are the biggest threat to cyber security.

It's not that staff have malicious intent, but rather data loss through human error, which is seen as the biggest risk to corporate cyber security. The report suggests that "creating awareness among employees about the consequences of human error for corporate security can help significantly reduce the number of staff-related data breaches".

Meanwhile, 27 per cent of those IT professionals surveyed by IT Governance believe that cyber criminals and hackers are the biggest risk to cyber security, while 12 per cent told researchers that state-sponsored cyber attacks are the primary threat. Eight per cent believe cyber attacks from corporate rivals are a threat to their organisation.

The research also found that of those who responded, one in four organisations admitted that they had been victims of a cyber attack in the past year. Worryingly, perhaps, the research suggests that only 30 per cent of organisations require those at board level to have an understanding of cyber risks.

"In the face of the rapid development and deployment of new cyber-threats, such infrequent executive oversight of IT security status seems alarmingly casual," said Alan Calder, chief executive of IT Governance.

"Companies are not ignorant of the risks: 77 per cent of bosses told us that their organisation has a method for detecting and reporting attacks or incidents. However, in the boardroom, many companies still appear too removed from the action for directors to meet their governance obligations."

According to Calder, businesses can demonstrate that they comply with the ISO 27001 security standard, which governs the explicit managed control of information security according to a checklist of requirements, including the protection of data.

"The best way for organisations to prove their cyber security credentials is to comply with, and be certificated against, ISO 27001, the global best practice standard for information security management.

"This lets you signal to customers anywhere in the world that you have a robust method for addressing the entire range of risks associated with systems, people and technology," he said.

Meanwhile, a recent report by consultants KPMG suggested that many businesses aren't properly equipped to protect themselves against cyber attacks.