by Bharat Mistry
The latest findings from PwC’s Global State of Information Security Survey 2018 are out and they don’t bode well for GDPR compliance. In fact, many UK organisations polled don’t even know how many attacks they suffered last year or how they occurred, while board-level involvement in cybersecurity strategy remains minimal. These findings chime with those of a major piece of Trend Micro research into the forthcoming European data protection regulation.
To overcome these challenges, UK firms need to refocus their efforts around cybersecurity best practice, starting with a layered approach to threat protection blending multiple techniques at endpoint, gateway, datacentre and network levels.
A sorry snapshot
The PwC report is well regarded as providing an accurate view of organisations’ information security posture. Unfortunately, this year’s study found continued problems for the 560 UK respondents polled. Over a quarter (28%) said they don’t know how many attacks their organisation suffered over the past year while a third (33%) said they don’t even know how these incidents occurred. What’s more, 17% claimed they don’t conduct preparedness drills and less than half (49%) conduct pen tests.
This is despite the serious impact of cyber attacks. UK organisations faced on average 19 hours of downtime due to security incidents, 20% lost employee records and 21% had “internal records” compromised, according to PwC. Even more important for GDPR compliance, nearly a quarter (23%) said attacks last year compromised customer records. That has major consequences in terms of GDPR and industry fines, customer attrition, company share price, brand value and more.
Perhaps it’s not surprising, given these serious deficiencies, that only half of UK organisations (53%) have a cross-organisational team in place to deal with cyber incidents, while only a third (34%) have boards actively participating in the security strategy, versus 44% globally.
This isn’t far removed from the findings of GDPR research recently conducted by Trend Micro, which uncovered serious security shortcomings among UK firms. We also found little appetite from the board for involvement in cybersecurity. In fact, just 22% of those we polled said the C-level was involved in security. There was also widespread lack of awareness about which type of data to protect under the GDPR, and over two-thirds (67%) were unaware of the size of non-compliance fines awaiting them: which can reach up to 4% of global annual turnover or £17m, whichever is greater.
The layered security difference
It goes without saying that this doesn’t bode well for UK organisations. Given the current uncertainty arising from Brexit negotiations, the last thing they need is yet more instability stemming from the self-inflicted wound of GDPR non-compliance. When it comes to the data protection aspect of the new law, regulators are basically looking for organisations to follow standard best practices, such as those promoted by the National Cyber Security Centre (NCSC). You don’t have to reinvent the wheel, just follow industry guidelines, led from the top by a proactive board.
These include comprehensive education and awareness programmes alongside incident management, tightened access controls and continuous monitoring, amongst other steps.
When it comes to combatting cyber-threats, we’d recommend a layered approach designed to include multiple threat prevention techniques. In this way, signature-based detection could be included to mop up commodity malware and then behaviour-based tools, app whitelisting, and machine learning can be added to spot more sophisticated threats including zero-day malware.
Such is the variety of threats facing firms today that the key to effective defence is to invest in systems which offer a broad sweep of such techniques, across endpoint; web and email gateway; network; and hybrid cloud server environments. If they’re all powered by global intelligence, shared between each tool and layer, then you’re heading in the right direction towards connected threat defence.
With targeting of employees now the most common cause of security incidents in the UK (27%), user education alone isn’t enough. You need a strong layered security strategy and watertight policies to back this up, keep regulators happy and – most importantly – ensure key data and systems are kept safe from harm.