CLEARING THE PATH: - Palo Alto Networks

CLEARING THE PATH:
PREVENTING THE BLOCKS TO
CYBERSECURITY IN BUSINESS
Introduction
The world of cybersecurity is changing. As all aspects of our lives become
increasingly connected, businesses have made great progress in preparing to
defend themselves against attacks. But with growing responsibility to protect
the data of customers, employees, partners and shareholders, there’s still
more for businesses to do to ensure the best possible protection.
The EU’s Network and Information Security (NIS) Directive, slated to be
implemented by Member States sometime in spring 2018, will impose new
security requirements on operators of essential services and digital service
providers. These entities must take appropriate and proportionate technical
and organisational measures to manage risks to the security of their
networks and information systems, and these measures must have regard
for the “state of the art”. The NIS Directive also requires the notification to
authorities of security incidents of particular magnitudes. Finally, the NIS
Directive requires that covered companies take appropriate measures to
prevent incidents affecting the security of their network and information
systems.
The General Data Protection Regulation (GDPR), the new personal
data protection law that will come into force on 25 May 2018, also has
requirements directing entities to implement appropriate security measures
with regard to the state of the art, in order to protect the data of EU
residents. In addition, the regulation requires data controllers to notify
authorities in the event of a data breach. Significant financial penalties have
been introduced for infringements of the regulation’s provisions.
Businesses appear to understand the level of impact that these laws’
provisions are likely to have. According to research by MicroMarketMonitor,
European businesses are expected to spend around $35.53 billion on
cybersecurity by 2019. According to our own research, 96 percent of
management-level employees in European companies acknowledged that
cybersecurity should be a priority. While it’s great to see businesses taking
cybersecurity seriously, simply buying more products and then carrying on as
normal won’t improve the situation if we cannot reduce the amount of time
taken to detect and prevent incidents.
With so much at stake, we surveyed more than 700 decision-makers in
companies with over 1000 employees in the U.K., Germany, France, the
Netherlands and Belgium to understand how they plan to adjust to the
changing world of cybersecurity.
Key statistics
• European businesses are expected to spend $35.53 billion on cybersecurity by 2019.
• 96% of business decision-makers acknowledge cybersecurity should be a priority.
Palo Alto Networks | Clearing the Path: Preventing the Blocks to Cybersecurity in Business
2
SECTION 1: CYBERSECURITY
BLOCKERS THAT EXIST
At a Business Level
Business leaders are clear on the
importance of cybersecurity, but there
is confusion across most organizations
about where responsibility lies. Our
research found that 1 in 5 (18%)
of management-level employees
don’t feel they have a role to play
in their company’s cybersecurity
efforts. Furthermore, 40 percent
of respondents believe that, in the
event of a security breach, IT would
be held to blame. The majority of IT
departments tend to agree, with 57
percent believing that security is their
domain alone.
The breadth of responsibility for
cybersecurity is still unclear to many.
The truth is that it is no longer just
an IT issue; it should be a pervasive
everyday business practice that
requires the involvement of every
employee across every department.
This integration of security into
business practices requires an
approach of security by design and
by default. Employees need a clear
idea of what they are responsible
for and how their behaviour impacts
the security of the business as a
whole. Essential to this, business
leaders must take a holistic view of
cybersecurity and should employ
technology strategically to support
security in their personnel training and
business practices.
Threat detection and prevention
should be as automated as the
business processes they are designed
to protect. That can’t be the job of
technology alone; effective security
systems encompass both technology
and input from human, cybersecurity
professionals. That means preventive,
real-time measures that allow an
organization to monitor all the traffic
in its network are necessary to
provide an accurate view of risk.
admitting to doing so
At an Employee Level
Employees today are more techsavvy than ever. Most people use
technology and applications to run
their personal lives, whether banking,
shopping or streaming their favourite
TV shows on laptops, tablets or
mobiles. As individuals, we have
come to expect the same, easy user
experience when we are at work and
can grow frustrated when it is not
made available to us.
Some employees circumvent their
company’s cybersecurity policy to
use a more efficient tool or service
than that which is sanctioned by their
organization. Our research shows that
1 in 5 respondents (17%) feel their
cybersecurity policy is frustrating and
prevents them from having access to
the tools and sites they need to do
their jobs.
Key Statistics
• Almost 1 in 5 (18%) of management-level employees don’t feel they have a role to play in their company’s cybersecurity efforts.
• Almost 1 in 5 respondents (17%) feel their cybersecurity policy is frustrating and prevents them from having access to the tools and sites they need to do their jobs.
• 57% of IT departments believe that cybersecurity is solely their domain.
• 40% of respondents believe that, in the event of a security breach, IT would be held to blame.
Palo Alto Networks | Clearing the Path: Preventing the Blocks to Cybersecurity in Business
3
SECTION 2: CLEARING THE
ROAD AHEAD
There are three key steps all businesses can take to make sure they are ahead when it comes to cybersecurity.
Make It Measurable
Unite Around Security
Being Proactive
Security must move from being seen
as a negative to a positive. Businesses
should be able to demonstrate the
commercial value that comes from
cybersecurity, be that in new business
contracts or increased business
efficiencies. Historically it has been
easy to claim success when nothing
bad has happened, but that often is
just due to chance. If cybersecurity
is to become an integral part of
business, it must be accountable. One
of the first goals for any company is to
agree on how to measure the benefit
of cybersecurity.
Business innovation and cyberthreats
are both extremely dynamic, but
it’s very easy to look at cyber as a
project to be completed. The reality
is that education, empowerment and
implementation are ongoing processes
that all aspects of the business
must continue to support and drive.
Critical to this is a common language
that allows everyone to engage in
discussion, whether they are in HR,
legal, finance, IT or any other part of a
business.
By their nature, security leaders can
be risk averse, and such a stance
may be in conflict with business
drivers. This can be visible through
an unwillingness to let go of legacy
security tools and processes that are
no longer effective in the current
landscape. Yet the belief that such
legacy capabilities could save them
one last time can lead to immobility.
In such a dynamic world, if we are not
keeping pace, we are slowing down
business and often inadvertently
creating risk.
Palo Alto Networks | Clearing the Path: Preventing the Blocks to Cybersecurity in Business
4
SECTION 3: WHAT DOES THE
FUTURE HOLD?
While businesses can always do
more to educate employees about
cybersecurity risks and their role
in preventing them, it appears that
attitudes are changing. Just under
two-thirds (61%) of respondents to
our survey said that they would talk to
IT before introducing new devices or
business applications to the company
network. Awareness appears to be
growing, but employee education
efforts must continue to ensure that
those on the frontline understand the
role they have to play and have the
skills they need to identify threats.
when the number of connected
devices is expected to grow
exponentially. According to Gartner,
by 2020, more than 25 percent of
identified attacks in enterprises
will involve the IoT1, showing that
businesses are more susceptible to
attacks as more and more data flows
between them and their customers
and partners. In addition, the
proliferation of new endpoints creates
weak spots that can be exploited
by threat actors, with their growing
popularity making them valuable
targets for attackers.
Security challenges to businesses are
only likely to grow over the coming
years. The immediate priority will
be to understand and adapt to the
requirements laid out by GDPR and
NIS. However, this comes at a time
As our lives become more connected,
employees will continue to demand
more choice over the devices and
services they use. Companies need
to enable this rather than dictate
technology options. That means
Methodology
About Palo Alto Networks
The survey referenced (unless
otherwise stated) was conducted
online among 765 business decisionmakers in companies with 1000+
employees in the U.K., Germany,
France, the Netherlands and Belgium.
It was commissioned by Palo Alto
Networks and conducted by Redshift
Research in October 2015.
Palo Alto Networks is the nextgeneration security company, leading
a new era in cybersecurity by safely
enabling applications and preventing
cyber breaches for tens of thousands
of organizations worldwide. Built
with an innovative approach and
highly differentiated cyberthreat
prevention capabilities, our gamechanging security platform delivers
security far superior to legacy or
point products, safely enables daily
business operations and protects an
organization’s most valuable assets.
identifying next-generation security
offerings that are designed for the
modern, dynamic and expanding
computing environment and
encouraging the use of new devices
and tools.
Key Statistics
• 61% of respondents to our survey said that they would talk to IT before introducing new devices or business applications to the company network.
• 1According to Gartner, by 2020, more than 25% of identified attacks in enterprises will involve the IoT.
Find out more at
www.paloaltonetworks.com
Palo Alto Networks and the Palo Alto
Networks logo are trademarks of Palo
Alto Networks, Inc. in the United States
and in jurisdictions throughout the
world. All other trademarks, trade names
or service marks used or mentioned
herein belong to their respective owners.
Gartner Press Release, “Gartner Says Worldwide IoT Security Spending to Reach $348 Million in 2016”, April 25, 2016, http://www.gartner.com/newsroom/id/3291817
1
Palo Alto Networks | Clearing the Path: Preventing the Blocks to Cybersecurity in Business
5