CLEARING THE PATH: - Palo Alto Networks
Transcription
CLEARING THE PATH: - Palo Alto Networks
CLEARING THE PATH: PREVENTING THE BLOCKS TO CYBERSECURITY IN BUSINESS Introduction The world of cybersecurity is changing. As all aspects of our lives become increasingly connected, businesses have made great progress in preparing to defend themselves against attacks. But with growing responsibility to protect the data of customers, employees, partners and shareholders, there’s still more for businesses to do to ensure the best possible protection. The EU’s Network and Information Security (NIS) Directive, slated to be implemented by Member States sometime in spring 2018, will impose new security requirements on operators of essential services and digital service providers. These entities must take appropriate and proportionate technical and organisational measures to manage risks to the security of their networks and information systems, and these measures must have regard for the “state of the art”. The NIS Directive also requires the notification to authorities of security incidents of particular magnitudes. Finally, the NIS Directive requires that covered companies take appropriate measures to prevent incidents affecting the security of their network and information systems. The General Data Protection Regulation (GDPR), the new personal data protection law that will come into force on 25 May 2018, also has requirements directing entities to implement appropriate security measures with regard to the state of the art, in order to protect the data of EU residents. In addition, the regulation requires data controllers to notify authorities in the event of a data breach. Significant financial penalties have been introduced for infringements of the regulation’s provisions. Businesses appear to understand the level of impact that these laws’ provisions are likely to have. According to research by MicroMarketMonitor, European businesses are expected to spend around $35.53 billion on cybersecurity by 2019. According to our own research, 96 percent of management-level employees in European companies acknowledged that cybersecurity should be a priority. While it’s great to see businesses taking cybersecurity seriously, simply buying more products and then carrying on as normal won’t improve the situation if we cannot reduce the amount of time taken to detect and prevent incidents. With so much at stake, we surveyed more than 700 decision-makers in companies with over 1000 employees in the U.K., Germany, France, the Netherlands and Belgium to understand how they plan to adjust to the changing world of cybersecurity. Key statistics • European businesses are expected to spend $35.53 billion on cybersecurity by 2019. • 96% of business decision-makers acknowledge cybersecurity should be a priority. Palo Alto Networks | Clearing the Path: Preventing the Blocks to Cybersecurity in Business 2 SECTION 1: CYBERSECURITY BLOCKERS THAT EXIST At a Business Level Business leaders are clear on the importance of cybersecurity, but there is confusion across most organizations about where responsibility lies. Our research found that 1 in 5 (18%) of management-level employees don’t feel they have a role to play in their company’s cybersecurity efforts. Furthermore, 40 percent of respondents believe that, in the event of a security breach, IT would be held to blame. The majority of IT departments tend to agree, with 57 percent believing that security is their domain alone. The breadth of responsibility for cybersecurity is still unclear to many. The truth is that it is no longer just an IT issue; it should be a pervasive everyday business practice that requires the involvement of every employee across every department. This integration of security into business practices requires an approach of security by design and by default. Employees need a clear idea of what they are responsible for and how their behaviour impacts the security of the business as a whole. Essential to this, business leaders must take a holistic view of cybersecurity and should employ technology strategically to support security in their personnel training and business practices. Threat detection and prevention should be as automated as the business processes they are designed to protect. That can’t be the job of technology alone; effective security systems encompass both technology and input from human, cybersecurity professionals. That means preventive, real-time measures that allow an organization to monitor all the traffic in its network are necessary to provide an accurate view of risk. admitting to doing so At an Employee Level Employees today are more techsavvy than ever. Most people use technology and applications to run their personal lives, whether banking, shopping or streaming their favourite TV shows on laptops, tablets or mobiles. As individuals, we have come to expect the same, easy user experience when we are at work and can grow frustrated when it is not made available to us. Some employees circumvent their company’s cybersecurity policy to use a more efficient tool or service than that which is sanctioned by their organization. Our research shows that 1 in 5 respondents (17%) feel their cybersecurity policy is frustrating and prevents them from having access to the tools and sites they need to do their jobs. Key Statistics • Almost 1 in 5 (18%) of management-level employees don’t feel they have a role to play in their company’s cybersecurity efforts. • Almost 1 in 5 respondents (17%) feel their cybersecurity policy is frustrating and prevents them from having access to the tools and sites they need to do their jobs. • 57% of IT departments believe that cybersecurity is solely their domain. • 40% of respondents believe that, in the event of a security breach, IT would be held to blame. Palo Alto Networks | Clearing the Path: Preventing the Blocks to Cybersecurity in Business 3 SECTION 2: CLEARING THE ROAD AHEAD There are three key steps all businesses can take to make sure they are ahead when it comes to cybersecurity. Make It Measurable Unite Around Security Being Proactive Security must move from being seen as a negative to a positive. Businesses should be able to demonstrate the commercial value that comes from cybersecurity, be that in new business contracts or increased business efficiencies. Historically it has been easy to claim success when nothing bad has happened, but that often is just due to chance. If cybersecurity is to become an integral part of business, it must be accountable. One of the first goals for any company is to agree on how to measure the benefit of cybersecurity. Business innovation and cyberthreats are both extremely dynamic, but it’s very easy to look at cyber as a project to be completed. The reality is that education, empowerment and implementation are ongoing processes that all aspects of the business must continue to support and drive. Critical to this is a common language that allows everyone to engage in discussion, whether they are in HR, legal, finance, IT or any other part of a business. By their nature, security leaders can be risk averse, and such a stance may be in conflict with business drivers. This can be visible through an unwillingness to let go of legacy security tools and processes that are no longer effective in the current landscape. Yet the belief that such legacy capabilities could save them one last time can lead to immobility. In such a dynamic world, if we are not keeping pace, we are slowing down business and often inadvertently creating risk. Palo Alto Networks | Clearing the Path: Preventing the Blocks to Cybersecurity in Business 4 SECTION 3: WHAT DOES THE FUTURE HOLD? While businesses can always do more to educate employees about cybersecurity risks and their role in preventing them, it appears that attitudes are changing. Just under two-thirds (61%) of respondents to our survey said that they would talk to IT before introducing new devices or business applications to the company network. Awareness appears to be growing, but employee education efforts must continue to ensure that those on the frontline understand the role they have to play and have the skills they need to identify threats. when the number of connected devices is expected to grow exponentially. According to Gartner, by 2020, more than 25 percent of identified attacks in enterprises will involve the IoT1, showing that businesses are more susceptible to attacks as more and more data flows between them and their customers and partners. In addition, the proliferation of new endpoints creates weak spots that can be exploited by threat actors, with their growing popularity making them valuable targets for attackers. Security challenges to businesses are only likely to grow over the coming years. The immediate priority will be to understand and adapt to the requirements laid out by GDPR and NIS. However, this comes at a time As our lives become more connected, employees will continue to demand more choice over the devices and services they use. Companies need to enable this rather than dictate technology options. That means Methodology About Palo Alto Networks The survey referenced (unless otherwise stated) was conducted online among 765 business decisionmakers in companies with 1000+ employees in the U.K., Germany, France, the Netherlands and Belgium. It was commissioned by Palo Alto Networks and conducted by Redshift Research in October 2015. Palo Alto Networks is the nextgeneration security company, leading a new era in cybersecurity by safely enabling applications and preventing cyber breaches for tens of thousands of organizations worldwide. Built with an innovative approach and highly differentiated cyberthreat prevention capabilities, our gamechanging security platform delivers security far superior to legacy or point products, safely enables daily business operations and protects an organization’s most valuable assets. identifying next-generation security offerings that are designed for the modern, dynamic and expanding computing environment and encouraging the use of new devices and tools. Key Statistics • 61% of respondents to our survey said that they would talk to IT before introducing new devices or business applications to the company network. • 1According to Gartner, by 2020, more than 25% of identified attacks in enterprises will involve the IoT. Find out more at www.paloaltonetworks.com Palo Alto Networks and the Palo Alto Networks logo are trademarks of Palo Alto Networks, Inc. in the United States and in jurisdictions throughout the world. All other trademarks, trade names or service marks used or mentioned herein belong to their respective owners. Gartner Press Release, “Gartner Says Worldwide IoT Security Spending to Reach $348 Million in 2016”, April 25, 2016, http://www.gartner.com/newsroom/id/3291817 1 Palo Alto Networks | Clearing the Path: Preventing the Blocks to Cybersecurity in Business 5