Cybersecurity is continually a focus of news headlines and remains very much a topic under discussion across the globe. As the world, its devices and its systems become increasingly connected, the need to have the right cybersecurity defences in place is clear and increasingly understood.
Businesses are certainly aware of how much damage a successful data breach can cause, so much so that it’s become a major boardroom issue, with employee education and their role in preventing cybersecurity incidents key in the thinking of directors and executives.
In Europe, firms also have new laws to think about in the coming years, particularly with new legislation coming in from the EU. The Network and Information Security (NIS) Directive and the General Data Protection Regulation (GDPR) come into force in May 2018.
So the question is, how prepared is Europe for breach prevention and the ability to apply the “state of the art”, as well as for the notification of authorities in the event of a breach, be that aligned to the protection of EU residents’ personal data or the broader requirements to notify around certain security incidents set out in the NIS Directive for operators of essential services and the lighter requirements for digital service providers?
Results from our research, “Clearing the Path: Preventing the Blocks to Cybersecurity in the Business”, are encouraging. The research showed that European businesses certainly understand what’s at stake, with 96 percent of business decision-makers acknowledging that cybersecurity should be a priority.
Cybersecurity is not yet everybody’s business
But it’s not all good news. Cybersecurity should be everybody’s business, but it seems that this isn’t always true in practice – one in five management-level employees don’t feel they have a role to play in cybersecurity, while 40 percent believe that IT alone would be held to blame in the event of a breach. The upcoming pieces of legislation mean that such a legacy view will no longer survive.
By now we should all understand that cybersecurity isn’t just an IT issue but a business practice that needs to involve all employees and all departments. Our research indicates that this isn’t easy, as some cybersecurity policies have a negative effect on productivity – one in five respondents feel policies are frustrating and can prevent access to tools they need to do their job well.
On the other hand, our research indicated that 61 percent of respondents would make sure that they spoke with IT before introducing a device onto a corporate network. While that is an overwhelmingly positive figure, it leaves 39 percent of employees not engaging with IT before connecting – a high margin for risk. There was also some concern around temporary employees, such as contractors; 16 percent of respondents said they had observed that a temporary employee had circumvented policies.
It seems that, even though the bring-your-own-device (BYOD) model has been around for a long time, many companies still have trouble managing both personal and business access, especially with the boundaries between consumer and corporate cloud services becoming increasingly less clear.
Viewing cybersecurity as an integral part of the business
So there is still work to do, but progress is being made. Cybersecurity is becoming a boardroom topic and an integral part of the business. To continue along this path, organisations must understand that cybersecurity education, empowerment and implementation are all ongoing processes. This will mean continuing with education efforts and ensuring employees, both in full-time and non-permanent positions, have all the skills and training needed to identify and prevent threats.
The immediate challenge is to adapt to the cybersecurity requirements laid out by GDPR and the NIS Directive, which create a compelling case to prevent cybersecurity breaches. Looking at the bigger picture, organisations need to prepare for a period in which the number of devices is expected to grow exponentially as more data flows between businesses. Gartner says that 25 percent of identified attacks will involve the internet of things (IoT) by 2020.
Future cybersecurity strategies also need to keep in mind that employees will demand choice over the devices and services that they use. Organisations must enable this, rather than dictate, and that may well mean looking at next-generation security tools designed for a modern computing environment.
[Palo Alto Networks Research Center]