Organisations will be hit hard when EU Cyber Security Directive comes into force
A study from Tripwire and the Ponemon Institute has revealed that many of the world’s largest enterprises are not prepared for the new European Union Directive on cyber security, which states that organisations that do not have suitable IT security in place to protect their digital assets will face extremely heavy fiscal penalties.
The directive, which was adopted in July this year, will require that organisations circulate early warnings of cyber risks and incidents, and that actual security incidents are reported to cyber security authorities. Organisations that suffer a breach because they do not have sufficient IT security in place to protect their digital assets face fines of up to two percent of their annual global turnover.
However, Tripwire’s study, which looked at security management of 1320 IT security professionals working in healthcare and pharmaceuticals, financial services, the public sector, retail, industrial, services, technology, software and communications or education and research, revealed that most organisations are under prepared for the Directive and therefore at risk of being fined millions of pounds.
The overall findings from the survey were:
– 28 percent of organisations do not have a formal risk management strategy applied consistently across the entire enterprise
– Only 5 percent have a mature risk-based security management program
– The most significant barriers limiting the adoption of effective risk-based management activities within their organisation are:
– 34 percent said insufficient resources or budget
– 18 percent said lack of C-level support or buy-in
– 48 percent said lack of skilled or expert personnel
– Only 51 percent assess risks
– Only 58 percent assess vulnerabilities
– Only 58 percent identify threats
Dwayne Melancon, chief technology officer at Tripwire, said: “The new EU Directive has the potential to have a huge global impact because it applies to any organisation which operates in the EU, even if they are headquartered elsewhere in the world. Countries have been given two years to put the EU Directive into place and organisations should be using this time to tighten their security programs; ensure that incident detection and response processes are in place and effective; and harden their systems, applications, and networks to reduce the risk of breaches.”
Other findings revealed that:
– Only 13 percent of organisations have regularly scheduled meetings with senior executives to discuss the state of the security risk with senior management
– 25 percent do not communicate security risks to senior executives
– 37 percent only communicate security risks to senior executives when a serious security incident occurs
– 49 percent believe they are not effective at communicating the facts about the state of security to senior executives, because:
– 59 percent say the information is too technical to be understood by non-technical management
– 55 percent say negatives facts are filtered before being disclosed to senior executives and the CEO
– 14 percent say senior executives are not interested in this information
– 36 percent say it takes too much time and resources to prepare reports to senior executives
“The size of the fines connected with the Directive are so big they will definitely get the attention of CEOs and boards,” continued Melancon, “It is incumbent upon senior business executives to seek clear answers about security risks from information security leadership to ensure appropriate steps are taken to enable compliance with this Directive before it takes effect.”
“This Directive is an excellent reminder that adopting a recognized set of security controls can significantly accelerate the implementation of a reliable security strategy,” said Melancon, “Organisations looking to improve security practices can also access a wealth of practical information through peer groups such as sector-specific ISACs (Information Sharing and Analysis Centres) where they can share methods and practices to improve their chances of achieving strong outcomes for cyber security.”
About the Ponemon Institute
The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors, and verifies the privacy and data protection practices of organizations in a variety of industries
Tripwire is a leading global provider of risk-based security and compliance management solutions, enabling enterprises, government agencies and service providers to effectively connect security to their business. Tripwire provides the broadest set of foundational security controls including security configuration management, vulnerability management, file integrity monitoring, log and event management. Tripwire solutions deliver unprecedented visibility, business context and security business intelligence allowing extended enterprises to protect sensitive data from breaches, vulnerabilities, and threats. Learn more at www.tripwire.com or follow us @TripwireInc on Twitter.