By Dr. Guy Bunker, SVP Products, Clearswift
With new technology introduced to companies on a regular, and sometimes daily basis, the IT security landscape is complex and constantly changing.
Over the past 10 years we have seen an ever-increasing number of data breaches within Europe; and when these breaches happen they dominate media headlines and can cause far-reaching reputational damage.
We are also living in the era of the cyber-criminal that knows no bounds. It is just as easy to launch an attack from a bedroom in rural regions of the continent as it is from urban Europe or the Far East. All of these factors combine to ensure that IT security is a top priority for businesses today.
With this backdrop in mind, we commissioned industry research to identify an emerging trend across the marketplace – the internal threat. Our latest research has found that 83 percent of organisations suffered a data security incident last year, with nearly a third of respondents estimating that data security incidents within the last year have come internally, from across the extended enterprise(employees, ex-employees and trusted partners).
However counter-intuitive this may feel, the focus needs to be reflected in organisations as internal threats emerge as a more significant danger than external threats. Either way, the potential loss in terms of fines, damaged reputations and even lawsuits mean that information security is no longer just the responsibility of IT departments but needs to be addressed by businesses as a whole and all individuals from the top to the bottom and across the whole of the value chain.
Information security remains at the top of most organisations’ agenda and we have not only seen it discussed at the highest level within businesses but also within Europe. It was in February this year that we saw the European Commission publish “An Open, Safe and Secure Cyberspace” – its strategy on how best to prevent and respond to cyber disruptions and attacks which moved the discussion to a new cross-jurisdiction level.
Another piece of legislation that is currently being considered is the draft EU Data Protection Regulation. In the past, we have seen a number of regional legislation when it comes to actions regarding a security incident. However this new proposal is more of a shock-tactic so that it is not only those within the IT department that need to take action but it will also ensure executives realise their responsibility in protecting information.
The new proposal would encompass the whole of the EU and breaching it could consist of a two percent fine on the annual worldwide turnover of a business. A game-changing action for any business.
So while the latest legislation should bring a new awareness towards the subject, we know from our research that the reality is that almost three-quarters of organisations are struggling to keep up with the changing security landscape today, let alone with new policies and legislation. Despite this, 81 percent think all companies should be more forthcoming about anonymously reporting major security breaches and attempts in order to help share where the risks are and to help in creating best practices around protecting against them.
Our research has found that IT security remains a top priority for almost half of organisations. But for those that are yet to put security high on the agenda, some simple advice to start: it is important to remember that corporate information security policies should reflect changes in business practice, whether this is adoption of cloud or BYOD or social media, to help protect businesses from internal compromise.
The whole process of protecting information needs to become ingrained in the culture of organisations. All employees must be made aware that there are credible threats both within and outside the organisation and actions must be taken to mitigate them.