The General Data Protection Regulation (GDPR) has been a game changer for data privacy, and U.S. companies are beginning to catch up to the EU in data management practices. However, privacy is only one area in which U.S. organizations are falling behind their European counterparts. To promote compliance with data privacy regulations, both current and forthcoming, U.S. companies will have to invest a lot more in advancing security programs.

What Drives Security Trends?

The largest companies tend to drive technology and security trends. However, Europe is pushing the envelope at a greater rate than American companies.

It likely comes down to GDPR. According to Spiceworks, regulatory changes surrounding data privacy — including huge fines surrounding a data breach — have led to a greater emphasis on security enhancements like encryption. This has also likely been the catalyst for EU to adopt security technologies such as artificial intelligence (AI) and machine learning (ML).

Still, Spiceworks found that most companies on either continent turn to relatively inexpensive solutions to implement security — antivirus and security awareness training are the two most popular — as opposed to more aggressive defense strategies such as honeypots. More regulated industries are also more likely to adopt emerging security tools, which could explain why a region under the broadest data protection mandate is so far ahead.

Identify Your Program’s Weak Links

Spiceworks found that American companies tend to prefer security awareness as their primary solution for cybersecurity, as opposed to the EU, which favors technology-based tools. However, according to a study by MediaPro, 85 percent of employees who work in the financial industry, where a data breach can be particularly damaging, fail at basic security tasks such as recognizing personal data. Financial employees were also unable to tell the difference between a phishing scam and legitimate email, and the majority of employees do not alert IT or security staff when they do see a problem.

Relying on security awareness training as the primary security tool is risky. At the same time, even technological tools that improve workplace efficiency expand the organization’s digital attack surface.

Improving IT Starts With Budgeting

Spiceworks looked at the state of IT budgets, which are either staying the same or increasing across both American and European businesses. Primary spending drivers include replacing old tech and preparing for the end of Windows 7 support, which will happen in 2020, according to the survey.

Although security-specific spending is projected to increase in the coming year, according to the report, updating aging infrastructure is also a direct response to ransomware campaigns such as last year’s WannaCry attack and to promote compliance with data privacy regulations such as GDPR.

How Can Companies Budget Differently?

The size of the organization also plays a role in how it budgets. For example, while smaller companies are spending money to replace tech due to the end of its life cycle or for business growth, large enterprises are focused on improving their digital transformation with the latest technologies.

Across organizations, security software makes up about 10 percent of the IT budget. But, as the study noted, large enterprises or 5,000 employees or more are more likely to increase IT budgets due to heightened security concerns, whereas budgets at midsize organizations made up of 500 to 999 employees are more likely to grow due to corporate tax cuts.

American companies tend to be more averse to digital transformation than European ones. According to Spiceworks, one reason goes back to budgeting. To save money, organizations will wait out the life cycle of security technologies, using them until they don’t work anymore. If security leaders can adjust their existing tools to meet new requirements, thereby reducing costs, they likely will.

The cybersecurity skills shortage also comes into play. There aren’t enough skilled IT workers who can implement an automated security system, so it’s easier and cheaper to try and change behaviors of current employees and maintain old networks. This is especially true in small and midsize businesses.

Balance Security Awareness and Tech

The most effective security practices will blend security awareness with emerging security technologies.

People are prone to make errors, but decision-makers too often assume that an hourlong online seminar explaining how to spot a phishing campaign is an effective security training program. Instead, security awareness has to be built into an overall security policy and, like audits and penetration tests, conducted regularly.

Before building awareness training, decision-makers should recognize what they are securing. Is it customer data? Intellectual property? Personal devices connected to the network? Knowing what you are securing will provide a baseline of the type of awareness necessary.

The training itself should be interactive and frequent. Some companies will send out fake phishing emails to random employees to see who takes the bait. Employees who fail are required to do another round of training. Awareness training should explain why this particular information is being secured and, of course, grow with company needs.

Adding emerging security technologies is a bit trickier, because this will depend on budgets and staffing. Implementing a managed security service provider will add continuous monitoring to your network. Tools such as hardware authentication, privileged access and identity management systems, and user behavior analytics can trigger alerts of unauthorized use that even an effectively trained employee may not detect.

Companies Can’t Afford to Be Reactive

Cybersecurity has historically tended to be reactive — responding to an attack that’s already happened and working to prevent it from happening again. In a post-GDPR world, companies can’t afford to remain passive until after an incident.

As North American governments begin to address data privacy issues with their own legislation, companies will need to adapt similarly to their European counterparts. Expect to see more American organizations follow the EU’s example and adopt security technologies to better mitigate potential threats.

More from CISO

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…