lolloj - Fotolia

Europe not ready for imminent cyber strikes, say infosec professionals

Information security leaders in Europe believe a major breach of critical infrastructure is coming and that data breaches in their own organisations are imminent – yet most are not ready

Most information security professionals in Europe believe a cyber attack will breach critical infrastructure across multiple countries within the next two years, and many say their organisations are not ready for the onslaught or compliance with new European data protection regulations, surveys show.

According to a poll of more than 120 IT and security professionals registered to attend Black Hat Europe 2017, 42% said cyber espionage by major nation states such as Russia and China and attacks by rogue nations such as North Korea pose the biggest threat to EU critical infrastructure.

Significantly, only 11% expect the EU’s directive on security of network and information systems (NIS Directive) to improve critical infrastructure security in 2018.

The survey paints a bleak picture of European organisations’ ability to defend themselves and their critical infrastructure against modern cyber attack threats.

Infosec professionals in Europe, like their US counterparts, are under siege with cyber defences stretched to the limit by a combination of threats from organised cyber crime groups and nation state-sponsored threat actors.

Organisations are as concerned about critical infrastructure breaches as they are about attacks on their own IT systems and services, with nearly two-thirds of respondents to the survey saying it is likely their organisations will have to respond to a major security breach within the next 12 months.

But security professionals in Europe feel they do not have the time, budget or staff to meet the growing security challenges and the extra burdens placed on them by regulations such as the General Data Protection Regulation (GDPR).

Nearly 40% believe GDPR requirements will have a major impact on their current staff and IT budgets in the coming year, with nearly six out of 10 respondents saying they do not have the budget to defend adequately against current and emerging threats.

Andy Norton, director of threat intelligence at security firm Lastline, said the GDPR sets out a legal requirement for the gathering, managing, storing and disposing of personally identifiable information (PII) on European citizens.

Read more about the NIS Directive

  • UK mulls hefty fines for CNI providers with poor cyber security.
  • With cyber crime on the rise, the European Union is trying to fight back with its NIS Directive.
  • Coming European legislation on network and information security could have cost and organisational implications for a range of UK companies.
  • EU legislators and member states agree a text for new cyber security rules that will introduce mandatory data breach notification.

“If you are holding information considered PII on European citizens, you are subject to the GDPR requirements regardless of where you are in the world or where the information is held,” said Norton.

He said the NIS directive is guidance on how providers of essential services and critical infrastructure should apply security controls to their environment to make it resilient to attack.

“The GDPR, in effect, is ensuring that the provision of privacy is treated as critical infrastructure,” he said. “Many of the articles in GDPR related to securing, auditing and monitoring requirements are taken from the NIS Directive.”

According to Norton, much of the “frenzied activity” to date has involved finding out where data is and whether it is held in a compliant manner, but many organisations have yet to address the requirement for continuous vigilance in the monitoring and auditing of security controls.

“There is a 72-hour ticking clock, and once an organisation discovers a malicious infection into its internal network, it must prove before the clock runs out that the infection did not exfiltrate data considered to be PII,” he said.

“If, at the end of the 72 hours, they are uncertain about the extent of the compromise, they have a decision to make. Either they don’t inform the regulatory body, and risk increased fines if further investigation uncovers that PII data was involved in the compromise, or do inform the governing body [the ICO in the case of the UK], and risk customer confidence losses.”

But by implementing systems that can prove no PII data was taken, organisations can avoid reporting breaches unnecessarily, said Norton.

Read more about GDPR

Meanwhile, according to research by audit, tax and consulting network RSM, 92% of European businesses are unprepared for the GDPR.

A poll of 400 business leaders in Europe also revealed that 28% are unfamiliar with the new regulation they will need to observe from May 2018, and 26% of business leaders familiar with their GDPR strategy admit their organisation will not be compliant by the deadline.

More than half (51%) believe the regulation is too complex for SMEs and middle market businesses, despite agreeing that increased regulation around the use of personal data is necessary. And 41% of those aware of their organisation’s strategy believe the requirements of the GDPR will significantly increase their business expenditure, including consulting services.

The use of external expertise is increasingly prevalent, with 60% of businesses looking for external support to deliver their compliance project before the May 2018 deadline.

The survey shows that the process of preparing for GDPR is already affecting business operations, with respondents saying their businesses are cutting back in other areas, including plans to create innovative products (23%) or to fuel growth through international expansion (22%).

Jean Stephens, CEO at RSM, said there has been an increase in clients asking about GDPR consulting services. “However, it is clear from this research that many businesses do not fully comprehend the hurdles they will have to overcome ahead of the fast-approaching deadline,” she said.

“Business leaders need to understand that this is not a simple tick-box exercise. They are likely to need to implement significant changes that could impact their organisation as a whole, and so the sooner they begin to prepare, the better.”

Read more on Hackers and cybercrime prevention