Getty Images/iStockphoto

IT Priorities 2019: Cyber security and risk management among top priorities for 2019

This year’s Computer Weekly/TechTarget IT Priorities research shows that cyber security and risk management are among the top investment priorities

Cyber security and risk management (32%) is second only to IT automation (33%) in Europe, the Middle East and Africa (EMEA), followed by cloud migration (29%), when it comes to the broad initiatives 1,578 IT decision-makers in the region plan to implement, according to the 2019 Computer Weekly/TechTarget IT Priorities survey.

Although cloud migration is in the top position for 35% of the 387 UK-based IT decision-makers who took part in the poll, an equal number (33%) named cyber security and IT automation as an IT spending priority for the year ahead, indicating that for the UK and EMEA, security remains a key focus.

The focus on cyber security and risk is further underlined by the fact that budget is expected to increase in this area by 39% of EMEA respondents, while 34% expect security budgets to increase in the UK.

While spending on compliance with the European Union’s General Data Protection Regulation (GDPR) has fallen away as a specific area of spending, having been a top priority for the past three years ahead of the compliance deadline of 25 May 2018, the increased emphasis on data protection in the UK and Europe is likely to be responsible in part for the increase in focus on cyber security and risk as more organisations begin to view data breaches, particularly involving personal data, as an important part of business risk.

Unsurprisingly, when asked which elements of their IT environment they planned to monitor in terms of security, EMEA respondents ranked in the top four network traffic/flow data (45%), network performance (44%) identity and access controls (41%) and user behaviour (38%).

In the UK, network performance was top (50%), followed by network traffic/flow data (48%) and user behaviour (47%), but identity and access control was ranked sixth at 37%, below application performance (38%) and cloud workloads (37%).

The increased emphasis broadly on cyber security and risk driven by data protection concerns is also reflected in the fact that data governance is the third most highly ranked information management initiative, planned by 33% of EMEA respondents and second most highly ranked in the UK (39%).

The growing recognition by business of the importance of application security in reducing cyber risk and improving data security is reflected in the fact that 20% of EMEA respondents and 21% in the UK plan to deploy continuous testing as a software development initiative in 2019.

As organisations forge ahead with digital transformation to improve employee performance and productivity, streamline operations and boost efficiency, a significant proportion are recognising that digital transformation could potentially expose them to increased cyber risk. As a result, 29% of EMEA and 34% of UK respondents said they were planning to increase investment in security to address new threats and compliance requirements to support digital transformation.

When it comes to managed services, the data shows the UK is more mature than the EMEA region as a whole, with 26% of UK firms planning to implement Managed security services in the coming year and 10% planning to implement managed detection and response services compared with 22% and 8% in EMEA respectively.

In line with the focus on security, it is no surprise that identity management, single sign-on (SSO) and multifactor authentication (MFA) is the top mobility project for the most organisations in the EMEA region, with 39% of respondents planning projects in this area, followed by 35% planning to implement enterprise mobility management (EMM), mobile device management (MDM) and mobile application management (MAM).

Shifting security priorities

While security remains a key area of focus, the survey shows there has been a shift in priorities in the past year, with data loss prevention (DLP) falling from top priority in 2018 to fifth in this year’s rankings, with just 26% of EMEA respondents planning to implement DLP compared with 55% a year ago.

Topping the EMEA security initiative rankings in 2019 is email security (28%), followed by identity and access management (27%) and user security training (27%). This shift in focus shows and increased recognition of the fact that email continues to represent one of the top ways cyber attackers are compromising enterprise security and the continued importance of employees as an organisation’s first line of cyber defence.

Email continues to be a top means of initiating cyber attacks, with new detection bypass techniques and executive impersonation capabilities continually emerging, recent FireEye research shows. In 2018, the FBI estimated that scams resulting from business email compromise, such as fake invoices and wire fraud, had cost businesses $12bn globally since 2013, underlining that email security should remain a priority for organisations seeking to improve their security posture.

As security systems and basic defences at the operating system level have improved, cyber attackers have increased efforts to trick employees into clicking malicious links through various forms of social engineering, underlining the importance of employee education to ensure they understand the threats their organisation faces and the role they can play in keeping it safe.

While email security comes in as the third highest priority in the UK, organisations are demonstrating a higher level of maturity than the region as a whole by focusing on user security training, cited as a priority by 32% of UK organisations polled, followed by encryption (31%) and email security (30%).

Multifactor authentication is also at 30%, compared with just 18% at across EMEA, despite the importance of MFA being highlighted with each high-profile data breach.  

Every company, regardless of size – from the smallest to the largest enterprise – should adopt MFA in 2019, according to Corey Nachreiner, chief technology officer at WatchGuard Technologies.

“This definitely should happen for their own protection, but I suspect there will be many laggards, despite the fact that today’s MFA solutions are much easier and less expensive,” he told Computer Weekly.

It is encouraging that encryption is a priority for 30% of UK organisations and 26% across the EMEA region as a whole, but this is down from 52% across EMEA a year ago, and other research indicates that while there has been a focus on encryption in the recent past, many businesses are still not applying common encryption tools effectively to contain the fallout and costs of data breaches, which suggests a lack of maturity in deployment.

Unsurprisingly, identity and access management (IAM) remains a top priority, ranked at number two across EMEA, but with only 27% of respondents planning initiatives in this area in 2019 and just 25% in the UK, indications are that most organisations addressed this as a priority as part of their GDPR preparation, with 42% of European organisations indicating they planned to invest in IAM in 2018.

Security budgets expected to rise

While the biggest IT budget increases across EMEA are expected to go to cloud computing and software, with 42% of respondents expecting increases in these areas, it is noteworthy that 39% of respondents expect security budgets to increase.

The strongest indicator that security really is rising up the priority list is the fact that more EMEA respondents are expecting budget increases in security than traditionally high-budget areas such as staff (29%), networking (28%), maintenance and support (24%) and consulting services (23%).

Increasing IT security budgets is consistent with a trend identified by a Thales report in mid-2018, which found that 69% of UK organisations reported an overall increase in their IT security spending, as did 75% of businesses in Sweden and 76% in Germany.

The fact that the percentage of organisations planning to invest in the various security-related technologies is fairly evenly spread for the year ahead indicates that rather than any particular area of focus, organisations are allocating security budgets across a range of initiatives in an effort to raise their cyber defence capabilities across the board and invest in a defence-in-depth strategy rather than betting on any single technology or group of technologies.

In addition to email security, identity and access management, user training and encryption, other security initiatives by EMEA organisations include data loss prevention, endpoint security, web security and threat detection.

In line with the trend of developing a comprehensive cyber defence capability, it is interesting to note that investments continue in areas such as application security in recognition of the fact that attackers are focusing on the application layer, and mobile device security and cloud security services in recognition that these new technology areas potentially present opportunities for attackers. 

Read more from the Computer Weekly/TechTarget IT Priorities 2019 survey


Read more on Hackers and cybercrime prevention

Data Center
Data Management