Employees aware of cyber threats but not acting upon it

Study findings call for new business strategy direction to tackle 'security fatigue'

By David Beach | 13 August 2018

Just 56% of UK firms believe they have sufficient cyber security skill in-house to deal with increasingly potent and mission critical cyber attacks.

Databarracks’ annual Data Health Check Survey questioned 400 IT decision-makers on a series of critical issues relating to their IT, security and business continuity practices.

“We are in the midst of a rapidly accelerating arms race,” said Peter Groucutt, managing director of Databarracks. “Organisations are desperately trying to match criminals, by working hard to improve knowledge, training and investment in security defences, but are clearly concerned about keeping pace.”

The findings reveal a distinct lack of confidence despite increased cyber security investment.

“Importantly, organisations shouldn’t become disheartened. While confidence levels are not where we hoped, businesses are making positive strides and acting on the front-foot to fight back, which makes us optimistic for the future,” said Groucutt.

Greater investment and lower confidence could suggest a growing gap between security innovation and criminal attack innovation in the cyber arms race.  

“Cyber threats are evolving at such a pace organisations cannot stand still. In previous years, organisations have failed to match these threats with action and investment," said Groucutt. "Today, businesses are fighting back and shoring up defences, as our data shows.”

But he does not believe there is a quick fix, and instead implores for a holistic view of cyber security software, each firm's hierarchy, and its IT culture. “Critically, it is not just about hiring a CISO, or introducing a new cyber security policy or investing in new threat monitoring software – it’s about all of these activities and a fundamental culture change for most organisations.

“Over time, as organisations see this increased proactivity and investment lead to better security, we’re hopeful confidence will also improve.”

A new approach to security

It is the cultural attitude towards cybersecurity that is perhaps most worrying to CISOs and CIOs today. And it would seem that no amount of money, messaging or new procedures can encourage best cybersecurity practice among the general workforce.

“Employees in Europe have been inundated with security messaging through their organisations, as well as the media,” explained Morten Illum, VP EMEA at Aruba, “clearly giving further warnings and adding procedures isn’t having the desired effect. If employees understand the risks, but aren’t acting on it, the answer is not to provide yet more training, but to bring in enhanced technology that can provide the assistance and the protection workers need to do their jobs.”

Aruba conducted a study of 2,650 European employees into ‘security fatigue’ - disregard for cyberthreat - and found UK employees to be the most concerned about data security at 53%.

The study also revealed that recent legislation proved instrumental in raising awareness around cyber threats, particularly the regulatory consequences. European employees were top of the list with 42% aware of the legal ramifications with the Americas at 36% and Asia 27%.  

It also suggested that a comparative lack of responsibility over IT matters could be contributing to security fatigue. In Europe 36% believed cyber security was not their problem, 26% believing it to lie with IT and 10% with the leadership team.


An autonomous approach to security is increasingly becoming more of an imperative as mobile and remote working is becoming the norm. In Europe, the amount of employees working in remote or shared locations is now at 53%, according to Aruba’s study.

This new paradigm creates the need for smart digital workplaces that deliver secure and reliable, optimised and personalised experiences that will foster employee creativity, collaboration, and speed, without clunky security systems causing barriers.

To succeed, Gartner has recommended a Continuous Adaptive Risk and Trust Assessment (CARTA) approach to security which leans heavily on AI, Analytics and Automation to embrace the opportunities and manage the risks of digital business.

This leads to a more productive and more motivated employee, with a greater sense of job satisfaction according to the firm.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development