TechBeat: Data protection and compliance
20 June 2016 | 0
Again looking at response capability, nearly two thirds (61%) confirmed they had a crisis management plan in case of data compromise, which left more than a quarter (27%) that did not, and 12% who didn’t know.
Any incident response is only as effective as the resources behind it and the survey asked about cybersecurity spending over the next 12 months. Interestingly, no one reported an expected drop in cybersecurity spending, while 37% expected no change. More than a quarter (27%) expected a rise of up to 25%, while a fifth (21%) expected a rise of a 25-49%. Just 8% expected a rise in the 50-75% range, while 9% expected a rise beyond that.
The fact that 65% of organisations expect an increase in spend on cybersecurity is reflective of three things, said Larkin.
Firstly, he said, “the increased level of effectiveness of the threats and threat actors based on the easier monetisation of return of data to targeted organisations from denial of service, ransomware, data and identity theft etc.”
Secondly, the increased levels of board awareness based on the publicity and adverse effects that breaches are having on organisations affected. And finally, the need to be seen to react to the above issues means that plans are identified to respond and resources are being allocated to execute those plans.
Board level awareness and buy-in are critical in these efforts, and the majority (57%) of respondents said that they felt the board had sufficient knowledge of the security landscape and threats being faced. However, this still left a third who were not confident of such knowledge and understanding and 10% that did not know.
The survey asked where additional resources would be focused in cybersecurity and the most popular were prevention technologies such as firewalls, intrusion prevention, data leak protection (69%), followed by personnel protections, such as awareness training etc. and detection technologies (62%), such as security analytics, security information and event management (SIEM) and security operations centres (SOC). These were followed by compliance technologies, damage remediation systems and accreditations, such as ISO (27001).
Respondents were asked if they felt that security threats and procedures might be limiting or holding back the business, and most (58%) said no. However, 14% said that their business was being held back by less than 2%, while 8% said less than 4%. A little more (12%) said that the drag was between 5 and 10%, while a further 8% said 10% negative or more.
Larkin said this is significant in terms of information security being a potentially business limiting factor, as it points to the need for organisations to truly focus their energies on employing effective management strategies to reduce this negative business limitation.
It also points to the need for much more coherent and effective national and international commercial and governmental strategies to tackle information security, said Larkin, along the same lines as international terrorism or international drugs crime, as these limitations are not just effecting commercial organisations, but society as a whole.
With regard to the EU-US Privacy Shield, the survey asked if organisations had a policy to conform with the agreement. A third did not, with 42% who did not know, while more than a quarter (26%) did.
We believe, said Larkin, this reflects some of the chaos and confusion arising from the strike down of Safe Harbour, and the rapid but confused response to put something else in its place.
“Our experience is that there is a significant amount of ‘wait and see’ going on as a lot of organisations are not convinced that Privacy Shield is robust enough to withstand further challenges, or indeed that it is the finished article, so a significant investment of time and resources at this stage may be wasteful until this framework is washed out further,” said Larkin.
What emerges from this survey is that Irish organisations are cognisant of cybersecurity threats, and what must be done about them. From both a resource and personnel perspective, there is investment and confidence to defend against the threats abroad. However, while confidence and trust in cloud is growing, third party assurance and auditing clearly needs improvement.
With some clear areas of concern, overall, Irish organisations appear to be doing the right things, with C-level awareness and support to protect data and comply with the relevant regulations. While one of those areas of concern is incident reporting, the GDPR is clearer on this than previous measures.