The General Data Protection Regulation (GDPR) has been a game changer for data privacy, and U.S. companies are beginning to catch up to the EU in data management practices. However, privacy is only one area in which U.S. organizations are falling behind their European counterparts. To promote compliance with data privacy regulations, both current and forthcoming, U.S. companies will have to invest a lot more in advancing security programs.
What Drives Security Trends?
The largest companies tend to drive technology and security trends. However, Europe is pushing the envelope at a greater rate than American companies.
It likely comes down to GDPR. According to Spiceworks, regulatory changes surrounding data privacy — including huge fines surrounding a data breach — have led to a greater emphasis on security enhancements like encryption. This has also likely been the catalyst for EU to adopt security technologies such as artificial intelligence (AI) and machine learning (ML).
Still, Spiceworks found that most companies on either continent turn to relatively inexpensive solutions to implement security — antivirus and security awareness training are the two most popular — as opposed to more aggressive defense strategies such as honeypots. More regulated industries are also more likely to adopt emerging security tools, which could explain why a region under the broadest data protection mandate is so far ahead.
Identify Your Program’s Weak Links
Spiceworks found that American companies tend to prefer security awareness as their primary solution for cybersecurity, as opposed to the EU, which favors technology-based tools. However, according to a study by MediaPro, 85 percent of employees who work in the financial industry, where a data breach can be particularly damaging, fail at basic security tasks such as recognizing personal data. Financial employees were also unable to tell the difference between a phishing scam and legitimate email, and the majority of employees do not alert IT or security staff when they do see a problem.
Relying on security awareness training as the primary security tool is risky. At the same time, even technological tools that improve workplace efficiency expand the organization’s digital attack surface.
Improving IT Starts With Budgeting
Spiceworks looked at the state of IT budgets, which are either staying the same or increasing across both American and European businesses. Primary spending drivers include replacing old tech and preparing for the end of Windows 7 support, which will happen in 2020, according to the survey.
Although security-specific spending is projected to increase in the coming year, according to the report, updating aging infrastructure is also a direct response to ransomware campaigns such as last year’s WannaCry attack and to promote compliance with data privacy regulations such as GDPR.
How Can Companies Budget Differently?
The size of the organization also plays a role in how it budgets. For example, while smaller companies are spending money to replace tech due to the end of its life cycle or for business growth, large enterprises are focused on improving their digital transformation with the latest technologies.
Across organizations, security software makes up about 10 percent of the IT budget. But, as the study noted, large enterprises or 5,000 employees or more are more likely to increase IT budgets due to heightened security concerns, whereas budgets at midsize organizations made up of 500 to 999 employees are more likely to grow due to corporate tax cuts.
American companies tend to be more averse to digital transformation than European ones. According to Spiceworks, one reason goes back to budgeting. To save money, organizations will wait out the life cycle of security technologies, using them until they don’t work anymore. If security leaders can adjust their existing tools to meet new requirements, thereby reducing costs, they likely will.
The cybersecurity skills shortage also comes into play. There aren’t enough skilled IT workers who can implement an automated security system, so it’s easier and cheaper to try and change behaviors of current employees and maintain old networks. This is especially true in small and midsize businesses.
Balance Security Awareness and Tech
The most effective security practices will blend security awareness with emerging security technologies.
People are prone to make errors, but decision-makers too often assume that an hourlong online seminar explaining how to spot a phishing campaign is an effective security training program. Instead, security awareness has to be built into an overall security policy and, like audits and penetration tests, conducted regularly.
Before building awareness training, decision-makers should recognize what they are securing. Is it customer data? Intellectual property? Personal devices connected to the network? Knowing what you are securing will provide a baseline of the type of awareness necessary.
The training itself should be interactive and frequent. Some companies will send out fake phishing emails to random employees to see who takes the bait. Employees who fail are required to do another round of training. Awareness training should explain why this particular information is being secured and, of course, grow with company needs.
Adding emerging security technologies is a bit trickier, because this will depend on budgets and staffing. Implementing a managed security service provider will add continuous monitoring to your network. Tools such as hardware authentication, privileged access and identity management systems, and user behavior analytics can trigger alerts of unauthorized use that even an effectively trained employee may not detect.
Companies Can’t Afford to Be Reactive
Cybersecurity has historically tended to be reactive — responding to an attack that’s already happened and working to prevent it from happening again. In a post-GDPR world, companies can’t afford to remain passive until after an incident.
As North American governments begin to address data privacy issues with their own legislation, companies will need to adapt similarly to their European counterparts. Expect to see more American organizations follow the EU’s example and adopt security technologies to better mitigate potential threats.