In its latest survey entitled “Mixed State of Readiness For Cybersecurity Regulations in Europe”, anti-malware specialist FireEye reveals that more than one-third (39 percent) of organisations in the UK, Germany and France do not have the defensive measures in place for the Network and Information Security (NIS) directive and General Data Protection Regulation (GDPR), with this figure even lower for the long-awaited GDPR.
Only two-thirds of respondents (66 percent) said that their firm fully understood the impact from the proposed regulations, while the study highlighted that more than half had serious reservations over the proposed fines (58 percent), the potential damage to business reputation (57 percent) and the loss of business and/or revenue (58 percent). In addition, 60 percent claimed that there was ‘no clear guidance' on the legislation, while 68 percent and 56 percent respectively bemoaned implementation costs and policy complexity.
The EU General Data Protection Regulation was expected to be finalised by early 2015, with compliance becoming mandatory in 2017 after a two-year sunset period. The law will establish fines of up to five percent of global turnover (or €100 million) and will introduce mandatory data breach disclosure. On this last point, businesses will be asked to report data breached within a 72-hour window.
The NIS directive – also known as the Cybersecurity Directive - was first proposed by the European Commission in 2013 and is also expected to get the green-light later this year. It aims to ensure critical national infrastructure (CPNI) operators, such as banks and energy companies, meet appropriate IT security standards, share information about cyber-threats and report when they have been breached.
“The new EU security and privacy requirements are incredibly important and will greatly increase the security obligations of European organisations,” said Adam Palmer, international government affairs director at FireEye.
“We encourage organisations of all sizes to adopt mitigation measures that will manage risk stemming from zero-day exploits and never-seen-before malware as these attacks constitute a majority of advanced attacks in today's threat environment. However, our research does show that organisations are not fully prepared for the implementation of the legislation, and it is critical these organisations begin preparing now to be in compliance and not be caught unprepared.”
Speaking to SCMagazineUK.com shortly after the release of the survey of 260 IT and IT security professionals, Sally Annereau, data protection analyst at Taylor Wessing, said that the on-going delays could have caused IT security teams to lose interest in incoming legislation.
“On-going delays in finalising European rules to protect EU citizens data (in particular the continuing uncertainty as to the final form of the data protection regulation), may be holding back businesses from stepping up to tackle cyber-security concerns. If businesses are going to invest a large amount of money in infrastructure and supporting procedures they will want to be confident they are not building a castle on shifting sands."
Jon Inns, director of product management at Accumuli, the company that acquired RandomStorm late last year, added that the results were ‘not surprising' – but suggested that Cyber Essentials could hold the key to security improvements in the UK.
“The UK government has already begun actively tackling the lack of awareness and preparation, particularly among smaller UK firms, by introducing The Cyber Essentials framework, backed by CREST. Cyber Essentials defines a focused set of controls which can provide cost-effective cyber-security for organisations of all sizes. The framework is an important element of the UK government's National Cyber Security Strategy because smaller firms may lack the in-house expertise required to develop and maintain robust defences to deter cyber-criminals and comply with NIS and EU GDPR.
“Recent breaches have demonstrated that cyber-criminals often target smaller suppliers, or partner organisations, to gain a foothold in the networks of much larger target organisations.”
This report isn't the voice to cast doubt on IT security maturity, especially in relation to the EU's General Data Protection Regulation. Back in April, Trend Micro revealed that only half of UK firms were aware of the legislation, compared to 87 percent of firms in Germany and 65 percent in France.