Less capable than they think: No-one fully GDPR compliant & few truly secure

News by Tony Morbin

Whether its down to cost or understanding, neither SMEs nor enterprises have any room for complacency about their cyber-defence capabilities according to a recent UK survey.

When it comes to cyber-security, it would appear the less capable you are, the less you realise how vulnerable you are. At least that seems to be the lesson of a Manage Engine survey being released next week, State of IT in the United Kingdom 2019, which reports that only 12 percent of enterprises believe their IT security can detect a breach, whereas 21 percent of SMEs and large organisations believe they can detect such activity.

A whopping 72 percent of respondents said they did not use a comprehensive vulnerability management solution to detect, assess, priorities and patch vulnerabilities - which Kevin Duffey, co-chair cyber and convergence at The Security Institute described as, "a  good number," during a roundtable discussion of the findings yesterday. He explained, it was good that so many recognised that they don’t have the tools to protect themselves efficiently.

Perhaps it was not surprising that 38 percent of respondents had reported a breach - but a worrying 24 percent had reported 10 breaches or more. 

Giles Watkins, UK country leader, at the International Association of Privacy Professionals described the problem as the multiplicity of supply, saying "It comes down to governance," adding that cloud services were being used by SMEs in particular to outsource security. But of course, "they haven’t outsourced the risk," chipped in Ian Fish, chair, security and privacy executive, BCS, the Chartered iInstitute for IT.  While the numbers reporting using some form of cloud had risen from 87 percent in 2017 to 96 percent today, the consensus around the table was that it was likely 100 percent of companies now use some cloud services, even if they don’t realise it.

There was a similar consensus among panelists when it came to GDPR, for while 54 percent of SMEs said they were fully compliant, and 70 percent of enterprises claimed the same - panelists felt it was unlikely that anyone was. But they agreed that if you have a workable plan and implement it, that is as much as you can expect.  However, moderator Bob Tarzy, former analyst at Quocirca pointed out that for all its flaws, GDPR was now the de-facto world standard for data protection.

Roxanne Morison, head of digital policy at the Confederation of British Industry commented: "GDPR fines are completely changing the situation at board level as regulators are looking at their core systems and strengths (in the event of a breach) which affects the level of fine."  While 48 percent of respondents attributed lack of compliance to working with legacy systems, a lack of investment was cited by 42 percent and lack of awareness by 43 percent.

Sridhar Iyenger, managing director, Zoho corporation, parent company of Manage Engine, commented: "Its not black and white - when companies get into working on it (compliance) they realise (the complexity). Even if the tools could make them compliant, they need to implement them correctly."  Watkins added, "There is not enough skills/knowledge to fully implement GDPR - the ICO has seen reported breaches rise to 14,000 from 3,000 the year before." When it comes to the legacy issue, he suggested, "The hardest part is locating unstructured data," adding that compliance is not a one off, but an ongoing process. Morison agreed, saying, "People realise they need to know where their data is - and businesses are now more risk averse on sharing data - which could slow adoption of AI."

Sridhar Iyenger

Cloud services are all about sharing data, and thus the issue of trust in service providers came to the fore.  Some organisations were even reported to be duplicating everything they had in the cloud in case their provider went down.  Iyengar suggested, however, that there is no going back from adopting the cloud, and when it comes to transferring data out, he said: "All cloud service providers offer a way to take data out, but how good it is varies from vendor to vendor."

Watkins suggested that: "We are still in the early days of cloud adoption. Its the future - look at Microsoft (and where it would be if it had not adopted this model)." Duffey concurred saying that people now, "realise its better to get experts (to manage their security) than do it themselves," as people look for efficiencies.

When future technologies were considered by survey respondents, IOT was the big issue for SMEs and AI/Machine learning led the field for enterprises, with a surprising lack of mention for edge computing, quantum and blockchain, which panelists added. Fish suggested, however, that: "Businesses won’t be able to keep up (with rapid changes) - but they will keep up better than the law and regulators. It was also suggested that the big change would be at the intersection of AI with big data when used in phishing - creating lures based on ever deeper understanding of their victims.  Watkins addressed the issue of AI, noting what a terrible weapon it would be in the hands of those with bad intent, if its capabilities were available to all online, but when it came to destroying jobs, he suggested that it would increase the value of human skills of imagination and critical thinking. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews