kran77 - Fotolia
European firms are set to continue to invest in data protection for a third consecutive year – with the EU General Data Protection Regulation (GDPR) compliance deadline on 25 May 2018 – while investment also continues in cloud and mobile platform security, with a foray into deception technologies, a 2018 IT priorities survey has found.
Data loss prevention (DLP) is to be the top security initiative across Europe, with 55% of organisations planning to implement it in 2018, up 106% compared with the previous year, according to the latest Computer Weekly and TechTarget IT Priorities survey.
DLP dropped from being at the top spot in 2016 in the UK, to eighth position in 2017.
Significantly, planned adoption of encryption – which is widely considered as essential to data protection at rest, in transit and in the cloud – is up 94% compared with 2017. Planned investment in endpoint security is up 68% compared with 2017, which is relatively high considering it was the top priority for most European firms in the past year.
Encryption has become increasingly common in organisations as technologies have matured and concern around data protection has increased, driven by the GDPR and other regulations. Similarly, the continued emphasis on identity and access management (IAM) is in line with predictions that identity will become increasingly important as organisations become more digital.
Some 42% of European firms plan to invest in identity and access management this year, which is again reflective of the trend towards improving data protection, and is up 58% compared with 2017 as organisations attempt to take greater control of who has access to critical data. Similarly, planned network access control investments are up 46%, with 39% of organisations polled planning initiatives in this area.
In the light of the Equifax breach and WannaCry attacks in 2017, it is not surprising that planned investments in patch management are up 51% this year, but it is a little surprising that only 39% of European firms overall are planning security initiatives around patch management in 2018. The Equifax breach and WannaCry attacks underlined the importance of effective patch management and highlighted the fact that many organisations need to improve in this area.
Security training to get much-needed investment boost
As data breaches have continued to escalate in recent years, security experts have emphasised the importance of user security awareness and training. It is therefore encouraging to see that 43% of European organisations are planning to implement user training in 2018, up from just 29% in 2017.
The poll revealed an even more dramatic increase in the UK, with 46% of companies polled saying they plan to address user training this year, which represents a 99% increase from 2017.
These statistics are in sharp contrast to the fact that user training in 2017 was down 27% in Europe and down 33% in the UK compared with 2016.
Security industry experts believe that when properly executed, with regular, simple messaging, user training can be extremely effective, particularly in helping employees to recognise and respond to phishing attempts, which is a common first step in most cyber attacks.
Another indicator of maturity is the adoption of single sign-on systems as organisations seek to make it easier for employees to access data assets securely.
Single sign-on typically means employees only need to remember a single complex password to access multiple systems, and that passwords can be strong because users do not need to remember lots of them.
Investment in this area is set to continue for 31% of European companies, which represents an increase of 49% compared with 2017.
While there is a slight decrease (-1%) in companies planning investments in network-based security, 31% of companies are still planning investments in this area, with 35% planning initiatives around next-generation firewalls (an increase of 44%), showing that investment in traditional security technologies remains strong, despite indications that they are not keeping pace with emerging threats.
There is, however, some indication that organisations are moving to new security technologies, with 10% planning investments in deception technologies. While this is a relatively low percentage, it represents a 97% increase compared with the previous year.
IoT security investment to drop off
Investments in other newer security technologies are also showing increases from low bases.
Planned investment in threat detection is up 48%, threat intelligence is up 47%, and application-based security is up 43% after two consecutive years of stagnation in investment in this area.
However, internet of things (IoT) security is surprisingly down 13%. This could possibly be ascribed to the absence of any verified threat to the enterprise, and to the fact that there is to be a 16% reduction in IoT application investments across Europe this year, compared with 2017.
According to the latest reports, the biggest immediate security and privacy risk of IoT devices is to consumers, who need to be educated about the risks to drive up demand for devices that are secure by default and secure by design.
That said, UK enterprises appear to be taking the threat seriously, with an 18% increase in planned investments in this area in the coming year, despite only 7% indicating they are planning to implement IoT applications in 2018, compared with 14% of all organisations across the region. Also, UK organisations indicated a 47% reduction in planned investments in IoT applications.
UK bucks European trends in security spending
Surprisingly, cloud security investments are set to increase only by 3% across Europe in 2018, with 32% of companies in Europe planning investments in this area. This is despite the fact that public cloud storage is to be the top storage initiative by European firms and more than a quarter of organisations across the region plan cloud-based application deployments.
However, the UK is once again bucking the regional trend in terms of cloud security spending, with 39% of organisations planning cloud security initiatives, which represents a 47% increase compared with 2017. This is aligned with the fact that 33% of UK organisations plan cloud-based software initiatives in 2018, which is above the regional average of 27%, and 28% plan public cloud storage initiatives, which is above the regional average of 22%.
UK companies are also prioritising secure point-of-sale devices, with 13% of organisations planning investments in this area, up 159%, compared with just 7% of organisations across Europe as a whole, which represents a 23% increase. These increases are likely to be in response to the growing trend in recent years of compromising point-of-sale devices to steal payment card data.
Another area where UK organisations appear to be bucking the trend is in terms of planned security initiatives around fraud prevention. While across Europe, there is set to be a 16% increase in the number of organisations investing in fraud prevention, with 18% of organisations planning to do so, in the UK only 10% plan fraud prevention initiatives, which represents a 43% decrease compared with 2017. This is perhaps driven by the fact that fraud figures in the UK dropped by 11% in 2017.
However, 56% of fraud incidents were cyber related, according to the latest crime report of England and Wales, suggesting that this should still be a priority area for UK organisations in terms of cyber security.
Across Europe, 29% of organisations plan investments in mobile security. This is a rise of 26% compared with 2017. Mobile security continues to be considered important by organisations using mobile platforms, despite indications of a slowdown in investment in mobile applications of 29% across Europe and 56% in the UK.
Security spending on the rise overall
The 2018 IT Priorities survey indicates that most organisations plan to increase their investments in security in the coming year, driven mostly by regulation and to a lesser extent the continuing trend towards cloud-based and mobile platforms.
However, investment in traditional security technologies appears to remain strong and unchanged, while investment in newer security technologies developed in response to the changing technology environment is still fairly limited and tentative. Security industry commentators believe this must and will change as more organisations adopt a risk-based approach to security and security investments.
Read more about IT security spending
- Security spending not on most-effective controls, report reveals.
- UK businesses need to adopt a risk-based approach to cyber security spending to ensure the best return on investment and most appropriate data protection, says industry expert.
- Cyber breaches are rising despite increased security spending, a study shows, highlighting that security investment decisions are not aligned with cyber threats.
- Awareness of the impact of cyber attacks on business and regulation are expected to be the top drivers of continued and increased spending on cyber security, according to Gartner.