AI policies poorly understood by employees, raising UK risks

New research from e2e-assure has highlighted a significant gap in employee knowledge and adherence to artificial intelligence (AI) policies, which could potentially weaken the cyber resilience of UK businesses.

The study surveyed 500 cyber risk owners and 1,000 workers in the United Kingdom, revealing that while 85% of cyber risk owners are confident in their AI policy implementations, only 34% of employees are aware of these policies.

A concerning 81% of cyber risk owners expressed apprehension about AI, with 73% worried about a lack of employee diligence in mitigating cyber attacks. Rob Demain, Chief Executive Officer at e2e-assure, underscored the urgency of addressing these issues. "Our research this year has investigated the cyber resilience landscape in the UK and drilled down into how AI is set to impact UK businesses' cyber defences. What's clear is that the fragmentation of technology, including this year's stratospheric rise of AI, hasn't helped in building cyber resilience," Demain said.

Employees' frequent unauthorised use of AI tools like ChatGPT or Copilot also poses a problem. The research shows that 62% of workers have used these tools, with 41% using them at least once per week. This unauthorised use contradicts company policies and contributes to the high level of concern among cyber risk owners. Furthermore, 43% of employees reported being victims of a cyber attack at work, with around half of these incidents occurring in the past year.

Gartner's findings, cited by e2e-assure, reinforce these concerns. According to Gartner, 69% of employees have bypassed cyber security guidance within the last 12 months, and 74% indicated that they would do so if it helped them achieve a business goal. This lack of compliance is seen as a major risk factor by cyber risk owners, with 73% agreeing that most cyber attacks occur due to insufficient employee diligence. The use of unauthorised software topped their list of frustrations at 30%.

Despite these challenges, there have been improvements in cyber resilience among organisations. Compared to last year, there has been a 7% increase in the number of organisations confident in their resilience, with the figure rising to 29%. Investments in robust processes, technology, and training have been beneficial, but the adoption of AI remains a significant risk factor.

When queried about the consequences of falling for a cyber attack, over half of the surveyed employees (59%) said they either receive training and risk disciplinary action if they cause another breach (32%) or are required to attend training sessions (27%). Yet, less than a quarter (24%) described themselves as 'very engaged' in these training processes.

To address these discrepancies, e2e-assure's report offers three key recommendations for cyber risk owners: keep employees at the centre of the security strategy, simplify security measures for end users, and ensure the right provider is in place to oversee these efforts.

Demain emphasised the need for ongoing education and training to mitigate these risks. "AI could be about to unravel everything that's been so hard fought for, putting UK businesses at risk. The need for ongoing education and training in this field will be pivotal in the months and years ahead," he remarked.

The study's findings underscore the critical role of employee awareness and engagement in maintaining cyber resilience, especially as the integration of AI technologies continues to expand. The research by e2e-assure calls for proactive steps to bridge the knowledge gap and ensure that both employees and cyber risk owners are aligned in their efforts to protect against cyber threats.