The headlines go to the Cyber Crime attacks, but ultimately the Compliance remains the main expense leverage in IT security, at least for SMEs. That’s what emerges from the 2016 Survey by the Information Security & Privacy Observatory of the Milan Politecnico School of Management, presented on 2/2 at the conference “Cyber Crime: the invisible threat that changes the world.”
Alessandro Piva (Observatory Director) reviewed the Italian IT Security market, which sees an increase of 5% (aligned to the world average), continues to be concentrated on large companies (74% of spending) but shows awareness signals by SMEs as well, 93% of which has spent something; little, but they have spent, so it will mean that at least they focused the problem. The worrying aspect that seems to emerge is the traditional approach of most of the activities: identity management, attack detection, conventional process analysis; in short, absence of innovative initiatives. Poor organizational awareness as well: still few CISOs, most of which responds to the IT manager. Inadequate even awareness measures: almost all large companies make it, but largely it’s periodic emails; only 28% is deploying structured outreach projects or vulnerability assessment on employees.
Five aspects (cloud, mobile, IOT, intelligence and insurance) were examined in depth by the Research. A defensive attitude prevails in CLOUD, limiting its use because of doubt on reliability about safety issues. The lack of visibility on the policy implemented by the suppliers (and suspect on sustained but not declared attacks) remains an impediment, which however seems being overcome thanks to the maturity of quality assurance submitted by the providers. Turning to MOBILE, the great pervasiveness of smart working properly pushed companies to wide MDM solutions adoption and to properly consider the human factor. The issue of security for the IOT is under wide debate (40% is considering the issue), but has so far led to the adoption of a few measures (13% os taking actions). On the grounds of the CYBER INTELLIGENCE 68% of the sample is practicing threat analysis but mainly ex-post, only 20% is makung it ex-ante in order to prevent them. Finally, the field of CYBER INSURANCE sees a still limited adoption of specific insurance coverage, mainly because of the unpreparedness found between the players on the supply side.
As mentioned at the beginning, it may seem paradoxical that companies decide to protect data just because of legislation requirements, but we know it is so, as evidenced by the responses given by SMEs. So, if the regulatory compliance remains the main motivation of spending, let’s overview the evolution of the regulatory framework and its implications for business with Gabriele Faggioli (Observatory Scientific Manager).
There is a common trait that we find in four European legislations which together will form in 2018 the EU Security Framework (GDPR, EIDAS, NIS Directive and Criminal Offences Directive): the demand of the adequacy of the measures, based on Risk Assessment . The regulatory path that will lead to May 28, 2018 has been and will be punctuated by a series of steps (WP29 Guide Lines, proposed E-Privacy Regulation, National Laws, DPA measures…) and will result in a situation still difficult to be accurately predicted, characterized by co-existence between old and new. Until that date the GDPR “is not applicable” but there are some issues which can not be ignored today: eg. the design of new products / services, which will be good to conceive right now according to the Privacy by Design; or multi-year contracts signed in the coming months, which should already be GDPR-ready, to avoid having to rewrite them in May.
Among the already issued guidelines, everyone is watching to that about the DPO, but the one about Portability should be considered as well, being an issue that is likely to find many companies unprepared. And speaking of preparation, which is the degree of readiness detected by teh Survey? 46% of large companies has already started, and the figure is sharply rising in recent months.
In SMEs the normative issue is taken into account but is not manned: they will surely have to resort to simplifications provided by the Codes of Conduct. But even large companies are not so well crafted: 50% have not yet defined a BDG, then they will have to do everything in 2018. The 45% is not planning any organizational change: obviously they have not heard of the DPO … pay attention to WP29 guidelines, which has given very broad compulsory designation criteria. It is a very delicate figure, that complex reality would do well to keep inside, while the use of an external DPO remains a valid option for smaller parties.
As he always does, Faggioli also launched a tip far from the obvious about organizational changes: the figure of the internal Data Processor is likely to disappear (sic), leaving only Data Controllers and external Data Processors on the ground, for which joint liability with the Controller is planned.
Issues at the center of the survey have been addressed later in the morning by several voices in three round tables, which have seen relevant suppliers facing demand players.
The conclusion was entrusted to Alessio Pennasilico (Clusit Board Member) who lived up to his reputation as a “provocateur” (meaning one that offers original and unusual points of view). And then: now we all know that information is an important asset for the company, but then why there is no balance sheet item representing them? and why can I write off a van but not an 27001 assessment? It’s time for companies to start understanding the cost represented by the loss of a single piec of information: a customer record may be worth an average of $ 150 (a lot more in healthcare) but incidents cost mainly in terms of service downtime, costs for incident remediation, image and reputation damage and last but not least, sanctions. The Data Breach mandatory notification introduced by GDPR will let the phenomenon come out from the shadow.
So what to do? Gaining awareness (both at the top and at operational levels), adopting a cyber risk governance framework (within which to correlate organizational, technological, procedural, compliance and audit issues). But above all understand that it is our fault if the board gets bored when we talk about security, and never finds the funds for countermeasures adoption: as long as we will get stuck to qualitative risk analysis (probability, impact, green yellow and red traffic lights) the question will be “how much to counter at least the red light threats?” and, whatever the answer, the conclusion will always be “too expensive”. You must be able to switch to quantitative analysis in order to compare “how much the damage costs” with “how much to prevent it”.