For organisations that deal with cardholder data, proper security it is not just a "one-person" thing. As an old African proverb goes, "it takes a village to raise a child". If we think about each organisation as a child, every single employee that gets in contact with cardholder data or the cardholder data environment has their part of responsibilities when it comes to keeping it safe.


So as an IT security professional, you can understand why it was so disappointing when I recently came across several reports that suggest that not only do many UK workers have very little IT security knowledge but many IT professionals have concerns about their employees’ cyber security awareness too. How can we as an industry prevent breaches when there are many people out there who don’t understand much about IT security and how they can keep themselves safe?

Let's take a look at one of the most interesting research about this topic.

What do the stats reveal?

In October 2015, ESET compiled the results of a study that aimed to see whether UK consumers are "cyber savvy" or have a good cyber IQ. Basic and intermediate questions were asked about a range of IT security topics, “the majority of which were answered incorrectly”.

Some positive statistics from the study include the fact that 87% of respondents knew what "phishing" (a form of fraud when attackers to try and learn information such as credit card info and account details) was, just 5% of respondents thought that paying the ransom was the only option when their devices have ransomware on them and just 16% said that there was no reason to be "careful" on the Internet if they don’t visit "shady sites".

However, 23% of respondents thought that antivirus software "fully protect them to surf the Internet safely", only 29% of respondents understood that passwords have to be complex in order to be effective and just 28% of respondents understood that IoT stands for the Internet of Things. Moreover, 35% of respondents did not know what "vishing" (phishing over a landline telephone) was, 70% of respondents didn’t know what the most secure form of Wi-Fi standard was and only 26% of respondents knew what a DDoS attack was.

What is also concerning is that just 25% of the 350 IT professionals surveyed for Barkly’s Cybersecurity Confidence Report are confident in employee cyber security awareness. 75% of them think that employees’ awareness is "moderate at best".

Additionally, for IT professionals, their top five security concerns (highest to lowest) are:

  1. External breaches
  2. Uninformed employees
  3. Cloud security
  4. Insider threats
  5. BYOD (Bring Your Own Device) management

For executives, however, their top five security concerns (highest to lowest) are:

  1. Insider threats
  2. External breaches
  3. Uninformed employees
  4. Cloud security
  5. BYOD management

Also, just 26% of executives say that security is an essential priority in comparison to 40% of IT professionals who think that it is an essential priority.

Why these stats are so concerning and what to do

While employees’ lack of knowledge about cyber security would be troubling in any case, it’s especially troubling given the current biggest threats to security. For example, IOCTA 2015 called 2015 "the year of the data breach" with one third of breaches as a result of “miscellaneous errors” such as accidentally publishing sensitive data to public servers or sending sensitive info to the wrong recipient.

With so many employees being clueless about IT security it is perhaps understandable that these breaches can happen – though it’s not necessarily their fault for not knowing and with improved knowledge can come improved security for your organisation.

One possible way of going about this is by creating an awareness program. A security awareness program is required by the PCI DSS, and as we explain here, it can offer training to employees based on their job role, teaching them how to report security threats, and teaching them the importance of cardholder data security.

Creating a PCI DSS Awareness Program to educate employees

A QSA is a Qualified Security Assessor, an expert that master the PCI Data Security Standard. One of the most important requirement from PCI DSS is the 12.6. Following this requirement is a key step ahead to creating and maintaining a solid awareness program for your employees. Learn more about this requirement and what PCI DSS can do for your organisation.

Igor Mancini

Written by Igor Mancini

Marketing Director at Advantio. The articles published in the Advantio Blog have the goal of supporting our mission: making IT Security simple for everyone.

My intention is to discuss IT Security related topics with the eyes of a non technical person, speaking a simple language and trying to show to the readers the benefit of IT Security best practices.