One of the biggest revelations of the UK government’s 2015 survey on information security breaches is the cost of human error. Statistics collected by PWC show that 50% of the worst security breaches in 2015 and that three-quarters of large organisations suffered staff-related breaches. The takeaway is that there is still a ‘people problem’ that many organisations are failing to address.

In the words of Adrian Davis, (ISC)2 European managing director, the report reveals that “the elephant in the room” in cyber security is the human factor. According to Davis, the rise in outsourcing also indicates that companies are seeking to offload their cyber security responsibilities to others rather than ensuring their in-house employees are equipped with appropriate security knowledge. The has led to basic attack methods being successfully utilised to penetrate large organisations through their employees.

The (ISC)2 Foundation, a non-profit charity fostering a safe and secure cyber world for everyone, has recently conducted its own global survey of the information security workforce. The study reveals that phishing attacks – hoax emails that dupe people into downloading malware – are still the most common threat technique used by malicious actors.

Even more worrying is the fact that more than a third of all cyber security investments are used for technical controls, while only a quarter of companies plan to invest in training staff. This indicates that businesses are falsely reliant upon security technology instead of investing in vital staff education and training.

According to Davis, no matter how strong your technical defences are, poorly trained employees have become a prime gateway for attackers to get in. He believes that complacency around awareness training is exacerbating the security breach issue.

Companies train staff to protect themselves in the real world with health and safety training. They need to treat information security in the same manner by teaching employees safety in the virtual world. Davies also believes that the rise in bring your own device offers more opportunities for malicious actors to attack organisations through their staff, reinforcing the urgent need to teach employees about cyber security.

“Too many companies still treat cyber security as a niche specialism closeted away in the IT department or outsourced to professionals instead of giving the topic the much-needed attention it deserves by educating all company employees,” Davis said.

"The massive business and reputational damage unveiled in the survey offer a new imperative for businesses to change their approach to cyber security", Davis added.