Wednesday, December 27, 2017

An example of irony

Did you know that nobody knows who invented fire hydrants because the building where the patent was burned in 1836? What Gary Kremen, the founder of lost his girlfriend when she left him for a man he met on And that Hitler was a Jew? Yes, he was Jewish. These facts, along with many more are historical anecdotes that show us how ironic life can sometimes be. This irony, sometimes moves to the world of cybersecurity.

This week we want to give space to the results obtained from a new PwC report, entitled '2018 Global State of Information Security Survey (GSISS)'. This study explores the extent to which the 9,500 respondents have been prepared to withstand possible cyberattacks considering that cybersecurity ranks first on their list of concerns. The result is... ironic.

Despite the fact that cybersecurity continues to be one of the main concerns for companies worldwide, the low acceptance of this area as a key part of business strategies by the Board of Directors, together with poor communication, results in terrible results. According to this survey, less than half of companies have completed basic vulnerability assessments, so they do not even have enough information to know their current level of security.

The survey shows considerable concern among respondents about the consequences of a successful attack on their system. 40%, for example, imagine an interruption of operations or manufacturing processes, 39% imagine a loss or compromise of confidential data, while 22% believe that a security breach could even influence the safety of their workers and customers.

The research indicates that despite these concerns, a large part of the respondents do not have a safety awareness program focused on employees (which, according to previous reports, have been defined as a weak line in terms of protection against cyberattacks). Meanwhile, 54% do not have an incident response process, which is increasingly pressing for organizations that operate with information about EU citizens due to the imminent arrival of GDPR legislation.

The Board's participation continues to be a key precipitator in the implementation of broader security, with solid governance and acceptance by executives linked to a broader strategy success. However, the research found active participation in 44% of its corporate meetings. The activity of the Board is relatively weak in terms of participation in security policies, at 39%, while its support for security technologies and review of current security and privacy risks is reflected in 36% and 31% of the respondents, respectively.

The main security officers, responsible for dealing with cybersecurity planning and incident management, tend to have a relatively broad mandate when it comes to reporting. About 40% report directly to the CEO, while 27% report directly to the board, which reflects a possible bottleneck of information for the board. Other areas of the report include the CIO and the privacy director. More generally, there is a fragmentation of opinion when it comes to the approach taken by property. Many organizations (48%) don´t have a CISO, CSO or equivalent position, while around 45% report that they employ a security chief; and 47% employ security personnel without any training in this regard.

When it comes to processes that are considered key to discovering the "cyber risks" that companies face, less than half of the respondents had implemented some strategy. Vulnerability assessments, for example, had already been implemented in 45% of organizations, while penetration tests were implemented at 42%. It was found that other processes, such as threat assessments and active monitoring / analysis of information security intelligence, were implemented in 45% and 48% of respondents' organizations, respectively.

You know the risks, you fear the consequences, but still the decisions do not come. Until the Boards of Directors take action, employees are not trained in terms of cybersecurity and the owners of cyberattacks are not taken seriously, the results of this type of survey will not improve. Considering the amount of information that we have access to today, it is at least ... ironic.


Post a Comment