October is CyberSecMonth (https://cybersecuritymonth.eu/#/campaign), the EU’s annual campaign to raise awareness of cybersecurity threats and provide resources to help businesses protect themselves through education and sharing of good practice.

The month has been marked by the publication of a new study from Centrify which suggests that the great majority of UK workers (77%) have never received any form of cyber skills training from their employer.

The survey of 2000 full-time UK workers in professional services also found that over a quarter (27%) of them use the same password for multiple accounts, including work email and social media, putting both their personal security and that of their company at risk from hackers.

Additionally, 14% said that they keep their passwords recorded in an unsecured handwritten notebook or on their desk in the office. The news comes despite the UK Government’s drive to improve cyber security for companies, with its Cyber Essentials programme (www.cyberessentials.ncsc.gov.uk/getting-certified).

Centrify VP Andy Heather said: “In an age where cyber attacks have emerged as one of the most ruthless and successful forms of crime that can be committed against a business on a large scale, it is astounding to hear that so many UK companies neglect to instil even the most basic cyber security measures in their employees.”

Just one misplaced password could result in the theft of millions of sensitive company documents, personal information and financial fraud, allowing hackers access to critical data and potentially leaving a company liable to heavy fines from security watchdogs.

“Tackling this issue requires urgent investment in cyber skills training and adopting a zero-trust approach,” Mr Heather concluded, “to reduce the risk of weak passwords leaving easy entry points and to ensure malicious parties cannot run riot in company systems with stolen log-in credentials.”

Comment by BrightHR Chief Technological Officer Alastair Brown

Some employers may shy away from cyber security and data protection, either because they do not really understand it or fully appreciate its implications. However, it is essential that they are aware of their legal obligations under data protection law and, specifically, ensure that all employees are as well.

With fines now being issued for failed compliance, this area is only going to see increased levels of scrutiny over the next few years.

By providing cyber security training to their employees and taking steps to monitor their compliance going forward, employers can work to avoid substantial penalties for a breach of their legal data protection duties.

Last reviewed 8 October 2019