Businesses have a wide range of new opportunities such as artificial intelligence (AI), big data, cloud computing and internet of things (IoT). However, at the same time, these new opportunities are introducing an unprecedented set of information security risks. These risks are being compounded by increased levels of mobility, bring-your-own-device (BYOD) and cybersecurity skill shortages. As such, companies are suffering a growing number of data breaches and a mounting number of compliance risks. Organisations must address cybersecurity and privacy, not just because they face financial and reputational fallout if they don’t, but also because regulators can penalise them for inadequate protection.
We interviewed 1,350 decision makers in businesses across the globe to find out how they viewed information security, and what they were doing to mitigate it. The results from the research show significant progress in some areas, however some large gaps. For example, companies are making headway in the fight to secure their data. They are showing improvements in key areas, such as storing data securely, investing in cybersecurity measures and cyber insurance. On the other hand, there are several gaps in other aspects of cybersecurity preparedness. Companies are sometimes unaware of how, or even whether, security-related regulations affect them and are still behind in the creation and communication of information security policies. As the stakes rise for businesses in Europe and beyond, with the General Data Protection Regulation (GDPR) they must invest in cybersecurity. This isn’t simply a financial exercise. It also takes an inspired and engaged workforce to create a cultural shift within an organisation.
The focus to date has been on the technology side of security and we need to increase efforts around the people side of security. The technology investments have been important and should not be undervalued, but they need to be seen as a part of the whole solution. One of the biggest challenges is human error. This is not internal espionage or malice, but basic mistakes driven by a lack of understanding and awareness. We have found that updating the security policy on the intranet and sending one email update a year was generally the extent of security ‘training’. This must change. Your staff are your human firewall and need to be updated and maintained to be working effectively. Awareness and education are critical to cybersecurity success.
Companies are still not raising cybersecurity as a board-level issue as much as they should, and they are failing to get employees on board, as they are not engaging and failing to communicate information security policies properly. Perhaps the biggest commercial risk is now regulatory. Until recently, companies with gaps in their information security strategies could simply take the risk of compromise, and then cope with the problem if it arose. However, with GDPR companies now face a burden of proof. Should regulators come calling, businesses must show that they have taken adequate measures under the GDPR rules to protect their data. If they haven’t, the penalties will be swift and severe. This is a complicated situation, and security is more than a one-time effort, it is an ongoing and continuous process.
How can organisations implement continuous security transformation?
It is our belief that security is the responsibility of every executive and employee and should not be the responsibility of the security organisation alone. Security is complicated and requires both business and technical expertise. That is why, at NTT DATA we have developed a security transformation framework. The framework is intended to help every executive and employee develop the security protections needed to survive the constant threats. Our framework, helps every client, no matter their security maturity, to continually keep pace with security requirements. In short, it is the model for continuous security transformation.
Our framework has 5 core pillars, and is underpinned by our core assets, security expertise and cyber incident management practices. The five core pillars are:
- Vulnerability Management
- Risk Management
- Compliance and GDPR
- Application and Data Security
- Cloud and Emerging Technology Security
Within each of the pillars we have a 3-step approach; assess, deliver and manage, and our 1800+ security professionals worldwide support clients through these steps providing consulting, solution delivery and managed services.
NTT DATA is a global leader in security. We combine our security intelligence, expertise and our assets to support our clients with continuous security transformation. Find out more about NTT DATA’s security expertise by contacting us