DragonImages - Fotolia
The lack of collaboration on cyber security between the senior levels of business is leaving UK firms exposed to fines and reputational damage, a study has revealed.
One in 10 C-level respondents to a survey by Palo Alto Networks said they “kind of” understand what defines an online security risk, but admitted they “still have to use Google to help explain it”.
This finding suggests that the lack of consensus on where the responsibility for cyber security lies could stem from some lack of cyber security understanding at the leadership level.
The survey of more than 760 business decision makers in the UK, Germany, France, the Netherlands and Belgium found that a significant amount of accountability is placed solely on the shoulders of IT.
Nearly half of respondents believe that ultimate responsibility for protecting an organisation from cyber security risk lies with IT.
Even 57% of IT department respondents said they had sole domain over a company’s security.
GDPR shares data responsibility across business
However, the European Union’s (EU’s) General Data Protection Regulation (GDPR), which is expected to be enforced by spring 2018, assigns responsibility to anyone who has access to data in the event of a breach – from customer service to IT and executives.
Failure to comply with provisions of the GDPR could result in fines of up to €20m or 4% of worldwide annual turnover, whichever is greater.
Read more about the GDPR
- More than half of European companies do not know about the legislation planned to unify data protection laws.
- Only half of UK IT decision-makers are aware of the coming EU Data Protection Regulation, compared with 87% in Germany.
- The vast majority of cloud providers are not yet prepared to meet the requirements of the EU General Data Protection Regulation.
While the majority of respondents demonstrated a growing understanding of the cyber risks that businesses face, 1 in 10 employees still do not believe the company’s executives or board have a relevant or accurate understanding of current cyber security issues to prevent their organisation’s computing environment from compromise.
The study notes that while regulation and frameworks will standardise measures of success in relation to cyber security effectiveness, internal agreement is required in the meantime to allow for roles and responsibilities to be defined and for businesses to reach consensus on a unified approach.
Organisations need better view of risk
The survey results also highlight that the way in which organisations measure security does not provide a comprehensive view of all elements of risk.
The survey found that 25% of companies measure cyber security effectiveness by how many incidents have been blocked by a cyber security policy, 21% refer to how long it took an issue to be resolved, and 13% observe how long it has been since the last incident.
But according to Palo Alto Networks, pre-emptive and real-time measures – such as an organisation’s ability to monitor all the traffic in its network – also need to be taken into an account to provide an accurate view of risk.
“The new EU regulations will require businesses to step up their cyber security practices, and this can be an opportunity or a risk, depending on how these businesses choose to approach it,” said Greg Day, vice-president and regional chief security officer for Europe at Palo Alto Networks.
“Preventing data breaches requires everyone in an organisation to work together, share knowledge and define success ahead of European data protection law changes,” he said.
Palo Alto Networks recommends that organisations take the following steps to strengthen their computing environments against cyber attacks:
- Build a cyber security strategy focused on preventing cyber attacks at every step of the attack lifecycle, taking employee awareness and accountability into account.
- Use automated, state-of-the-art security technology that not only complies with regulations but also enables employees to work efficiently with the tools they need.
- Educate everyone in the business on the role they play in preventing successful cyber attacks on the organisation.
Read more about data breaches
- Considering that a data breach could happen to any company, at any time, a plan of action is the best tactic.
- Nearly two-thirds of UK consumers would stop using a website hit by a breach, but nearly a quarter would not, a survey shows.
- A data breach plan that addresses the many variations a hack can take should consider these eight points.