deepagopi2011 - Fotolia

IT Priorities 2017: UK and European firms to continue to invest in data protection ahead of GDPR

Data protection is to remain a key focus for IT security investment for European firms in 2017, but the emphasis is on cloud and mobile security as companies move to these technology platforms

European firms are set to continue to invest in data protection in 2017, with legal enforcement of the EU General Data Protection Regulation (GDPR) on 25 May 2018. Investment will, however, see a new focus on cloud and mobile platforms, an IT priorities survey shows.

Endpoint security and mobile endpoint security are to be the top security initiatives for firms in UK and Ireland (UKI) in 2017, according to the latest annual Computer Weekly/TechTarget IT Priorities survey.

This is closely followed by cloud security (26.2%) and identity and access management (IAM) (23.8%), which are the top priorities across Europe as a whole.

Across Europe, 27.2% of companies polled plan cloud security initiatives for 2017, while 26.5% plan investments in IAM.

This is consistent with the fact that cloud-based software as a service is the top deployment model companies plan to use in 2017, in both the UK (57.3%) and across Europe (46.9%).

Greater attention to endpoint, particularly mobile endpoint security, in the UK may be linked to the fact that 39% of UK companies plan to use mobile deployment in 2017, compared with 34.4% regionally.

Similarly, 26.2% of UK companies (30% across Europe) plan to implement bring-your-own-device programmes for smartphones and tablets, while another 26.2% in the UK and 24% across Europe plan to implement a corporate-issued mobile device programme.

However, the continued emphasis on identity and access management is in line with predictions that identity will become increasingly important as organisations become more digital.

Identity is crucial

In the digital era, identity is crucial to providing consistent customer experiences, as well as controlling and tracking who has access to data in organisations from a data protection point of view.

Many organisations consider IAM systems as key to increasing data access controls and improving governance, once again driven by the need to comply with the GDPR.

Despite the focus on cloud and mobile, network security continues to be a popular area of investment, as indicated by 24.8% of companies across Europe and 18% in UKI. However, due to the shift to cloud and mobile, planned investment in network security is down from 29% in both Europe and UK in 2016.

Although data loss prevention (DLP) continues to be a priority, it has dropped from being the top spot in 2016 in the UK to 8th position for 2017. The survey shows 20.6% of UK firms are planning DLP implementations compared with 21.5% of firms across Europe.

But in line with a continued focus on data protection in preparation for GDPR compliance from May 2018, DLP is still on the agenda for 20.6% of UKI firms and 21.5% of firms across Europe. GDPR compliance can also be linked to efforts to ensure better security on mobile and cloud-based platforms.

Further illustrating the continued focus on data protection in the UK and Europe is the fact that 23% of firms in UKI plan encryption initiatives in 2017 and 21.8% of firms across Europe.

Despite continued investment in encryption, the forecasts for 2017 are slightly below those of 2016, when 32% of UK firms and 27% across Europe, suggesting that encryption is already fairly widely adopted.

Encryption has become increasingly common in organisations as technologies have matured and concern around data protection has increased, driven by the GDPR and other regulations.

Continued investment

Companies in both UKI and Europe are also continuing to invest in end user security training as a key component of data security.

But with 25.5% of European companies planning initiatives in this regard in 2017, and 23% of companies in UKI, the proportion of companies doing so is down on 2016 forecasts of 27% and 33% respectively.

Regular user security training is usually associated with a mature cyber security defence strategy, but if poorly executed, it can deliver disappointing results. A drop in planned investment in this area may be indicative of disillusionment around the effectiveness of user training.

However, security industry experts believe that when properly executed, with regular, simple messaging, user training can be extremely effective, particularly in helping employees of organisations to recognise and respond to phishing attempts, which is a common step in most cyber attacks.

Phishing attacks enable attackers to steal credentials and access IT systems in the target organisation, largely without detection or restriction.

Another indicator of maturity is the adoption of single sign-on systems as organisations seek to make it easier for employees to access data assets securely.

Single sign-on systems typically mean employees only need to remember a single complex password, and that passwords for individual systems can be strong because users do not need to remember them.

Investment is set to continue in this area by 22.5% of European companies and 19% of UK firms, but a slight drop from 2016 levels of 24% and 35% respectively probably also indicates these systems are already widely deployed.

Read more about security spending

The recognition that the effectiveness of traditional security products is decreasing appears to be continuing to influence security investments, with 25% of European companies and 27% of UKI firms planning to implement vulnerability management technologies, up from 22% across Europe in 2016.

This trend is also reflected in the planned investments in next-generation firewalls across Europe by 18.5% of companies, threat detection and management by 15.7% of companies and security data analysis by 17.1%, although these levels are all slightly lower than 2016 figures.

While investments in these emerging technologies are similar in the UK, when it comes to threat intelligence services, 18.3% of UK firms plan investments in this area, compared with just 13.3% across the whole of Europe.

The trend towards lower levels of investment in application-based security tools in 2016 appears set to continue in 2017. Investments in this area are planned by only 9.4% of companies across Europe and 11.1% in the UK remain unchanged from 2016, despite attackers moving up the stack to the application layer.

Securing internet of things devices

There has been an increased emphasis on securing devices making up the internet of things (IoT) in recent months, and this is reflected in a slight increase from 2016 in the proportion of companies planning security initiatives in this area.

14.3% of firms across Europe and 13.5% of UKI firms plan to implement IoT security in 2017 – up from 11% for 2016 – but this proportion is likely to increase in light of the recent Mirai IoT botnet attacks.

These attacks have served to highlight the potentially devastating consequences of failing to address growing concern and unease among information security professionals about the potential for cyber attackers to exploit IoT devices.

Secure point of sale devices are at the bottom of the security priorities list for European companies, which is surprising considering the growing trend of compromising these devices to steal payment card data.

However, the low-ranking priority is likely to be due to the fact this area of concern applies only to retailers, rather than all business types. The same is true of fraud detection systems, which are being implemented by only 11.7% of firms across Europe, even though fraud is one of the most popular forms of cyber-enabled crime.

In December 2016, the UK was among 30 countries that contributed to the dismantling of a cloud-computing network used by cyber fraudsters to target one million users every week with malware-infected emails.

Read more on IT risk management