Data security and management: aware, yet still not accountable
While upper management has overall admitted it is indeed worried about the current state of cybersecurity, it still sometimes fails to take (the right course of) action. This is a fact once more highlighted by the results of a study conducted by NewAlpha Asset Management.
Recently (this is a relative term here, we surely count the evolution in years), a climate of digital anxiety has settled among professionals and individuals alike. A focus group coordinated by NewAlpha questioned the representatives of 9 companies and revealed that 77.78% of executives consider IT security to be a main concern for their business. BUT (there’s always a “but” in every story), while entrepreneurs have become increasingly aware of the issue, positive results are slow to appear. Indeed, the number of cyber attacks recorded at a global scale last year still spiked as opposed to 2015. While awareness campaigns only intensified over the course of 2016, how can we justify this contrasting image?
The same study showed that one-third of the respondents were quite unsure whereas the impact of a vulnerability on their system would be. On top of that, some even failed to see why data protection is even necessary. It is the typical speech: “I have nothing to hide, we are completely transparent, etc. etc.”. Online identity theft and targeted phishing campaigns are just a few of the counter-arguments that come to mind.
So here it is: CEOs have finally taken note that there is a problem and, to our delight, they immediately respond: “Yes, we have allocated a budget to the security of our servers” and “Yes, we have indeed implemented a cybersecurity solution”. All this is going in the right direction, but the study lacks some precision. While 100% said they are not willing to pay a ransom that is more than 10,000 Euros, it is not clear how much they have set aside for the purpose of securing their infrastructure or even what type of “cybersecurity solution” they put in place.
The battle is not over
That being said, it would appear that awareness raising efforts are yet to generate conscious and personalized actions.
Indeed, the repetitive discourse that we often find in the media when cybersecurity topics are at a peak has failed to put sufficient emphasis on one essential aspect: good IT security practices are merely guidelines that must be adapted by each of us, and not treated with inflexibility. What works for a business is not necessarily the optimal solution for another. We should all have the same basic ingredients, but the recipe, the implementation process, that may require a completely different approach according to one’s needs.
Cybersecurity experts should aspire to help company managers no longer perceive IT security tools as a Swiss knife. ‘I have an antivirus, isn’t that enough?’ or even ‘I have a SIEM, why would I also need a firewall?’. All these solutions are essential components meant to help us resist hacking perils. Together, they form an impenetrable armor. But remove one part and it won’t take long before the black hats find your weakness.
When all is said and done, what is left to be done?
Go beyond vague terms. Take advantage of the recent major changes that will become effective in May 2018 and reevaluate what state-of-the-art cybersecurity means for you. We are of course talking here about the new rules introduced by the European Union within the General Data Protection Regulation (otherwise known as the GDPR). The latter guarantees citizens that their personal data will be processed according to required standards and that, in the case of a notable incident, they will be notified within the following 72 hours.
For those who have read the actual law, you will have, without a doubt, noticed one thing: the Member States of the European Union have avoided specifying precise means of implementing these obligations. Which is quite understandable since its application is willing conceived as to be able to withhold the changes of time. However, the passages can always be translated using the technological advances of the present (read our previous article that talks about our SOC Reveelium here).
As such, it is imperative to prepare for the imminent implementation of these regulations. Obligations imposed on companies have increased considerably, as have penalties. It is therefore urgent to plan inventories and audit the way businesses are processing data, in addition to supplementing security with its missing elements. All this will surely have to be followed by the establishment of conduct rules and policies, as well as more training programs. The end goal? Move on from cybersecurity awareness to an informed action-taking attitude.
(About the author: Cristina Ion is community manager at ITrust SAS. This post originally appeared on her ITrust blog, which can be viewed here).