UK Government Launches Second Cyber Security Audit On Firms

Last year a Government study found that roughly 55% of UK businesses had a ‘basic technical cyber security skills gap’.

This year the Government is launching the second phase of research to help understand the UK’s cyber security labour market. The research will aim to assess how companies across the country are handling the employment and training of IT professionals. Organisations across the public and private sectors have been chosen at random to be assessed. It is hoped that responses can help shape government policy and tackle shortages of talent.

The Government is hoping to see some improvement from last year’s study, where it was found that around 710,000 businesses lack basic cyber security skills. The results suggested that businesses are not confident in completing simple tasks such as creating backups, setting admin rights and managing secure settings. The audit found that 42% of businesses admitted they did not feel confident conducting their own penetration tests.

However, charities were discovered to suffer the biggest skills gap, with 55% of non-profit organisations lacking formal security infrastructure. The audit reported that 80% of charities had tasks such as interpreting malicious code, penetration testing, and analysis regularly performed by third party specialists. Due to these results, the report recommended that the Government adopt a definition of cyber security skills, outline standard career pathways and relevant qualifications, and focus on potential future skills needs as well as current skills needs.

Even though seemingly the biggest challenge is implementing robust security measures, those skills and experience which was felt more important in last year’s study were those related to compliance and legal issues. As the regulatory landscape is continually changing, one of which is GDPR, it is very unlikely the findings will change much in the second study.

This year’s study will contact chosen organisations by phone between August and October. Participants will be required to answer a series of non-technical questions in a 15-minute interview. The most senior person responsible for cyber security at the organisation will be asked to answer, which could even be the business owner. It is likely that the results of this study will be published in late December, and it will be interesting to see if UK businesses have made any improvements to their cyber security knowledge.

Read last year’s report here.

Would your legal firm be ready for a cyber security audit?