Will the EU’s new data laws wake up CEOs on cyber security?
Businesses in Europe are still putting far too much responsibility and accountability for cyber security on the IT department – but will new EU regulations change that?
Short of time?
In a study by Palo Alto Networks, nearly half the managers surveyed in European businesses said the ultimate responsibility for protecting an organisation from cyber security risks lies with IT. And even more surprisingly, more than half of IT departments agree. These people are wrong.
Cyber security isn't like 'normal' security in that there isn't one 'gatekeeper' keeping organisations and their information secure. Even if the selection of specific technology solutions sits with IT, a degree of responsibility has to sit with everybody in the organisation.
However, if we were focusing on 'accountability and responsibility', then the onus is on those in leadership positions to stress the importance of cybersecurity to employees. They are the ones who should have, or should be planning to develop a top-down strategy tailored to risk.
Adding to this is the EU reaching agreement over the General Data Protection Regulation (GDPR), and the Network and Information Security (NIS) Directive, which will require companies to comply with, or act in regard to, certain cyber security requirements.
There are important financial and reputational ramifications for organisations. A significant one that management will certainly need to understand is that their organisations may face fines and, in some circumstances, customers could claim damages in the instance of a data breach. That’s on top of the public exposure from notification and any ongoing legal processes.
Data protection rules and responsibilities will be refined, meaning if management hasn't felt it already, they have a duty to make sure that everybody in the business is working within the re-written regulations. It can't, and shouldn't have ever been, a job of dumping a load of responsibility on the IT department.
Encouragingly, the majority (83%) of senior management in the survey said they have a good understanding of cyber security when responding. However, this still leaves a not-so-insignificant group of high-level executives who simply don't 'get' cyber security.
Palo Alto asked C-level executives specifically about what defined an online security risk, and one in ten said they only 'kind of' understood what one was, and that they 'still had to have Google explain it'.
So at present, it appears in some businesses there's a lack of communication with management and IT over the importance of cyber security and what kind of damage a data breach could do.
The impending revisions to regulation provide businesses with the opportunity to revise their cyber security strategy, as they aim to harmonise requirements in the EU, providing both defined responsibilities and expectations.
The penalties and focus on cyber security at the EU level should be a wake-up call for all businesses to ensure they have the right executive engagement.
There's no room for lax security practices at any level of a business, but some lower-ranking employees are certainly not getting positive messages from management.
Although the majority of workers certainly demonstrate a growing understanding of cyber risks at a business level, one in ten don't believe their company's executive team or board has the relevant understanding of cyber security issues needed to prevent cyber attacks.
Some executives are prepared to pay for advanced security technology, but it's no use if they simply dump responsibility on the IT department and expect full protection. They need an understanding of good cyber security, including policy and management and communication throughout the business, in addition to the technology solution.
So security policy and risk management is key. Taking care of information should be an issue for the whole business – it's bigger than IT. Security and risk assessments must be done with full senior management backing and understanding, and the business as a whole should understand what assets are most valuable and most at risk.
Right now, it seems that there are challenges to be overcome in relation to awareness at the top. However, potential consequences are finally forcing some business leaders to focus on cyber security as a business-wide problem rather than just an IT one. That might be just what’s needed.
Sourced from Greg Day, VP and regional CSO, EMEA, Palo Alto Networks