With the cyber-attacks in 2017 and changes to data privacy legislation, IT security will be a major concern for companies in 2018. Here are five key trends identified by Deloitte in a new report called “Cyber Issues in 2018.”
A Deloitte study (in French) published in January 2018 attempts to show the hidden part of the iceberg where cyber-security is concerned by highlighting five key trends for the coming year. The report is based on interviews conducted at the end of 2017 with the business line, IT and cybersecurity managers of 403 companies.
1 - Cyber-attacks are on the rise
The Deloitte survey reveals that 71% of companies interviewed said they are increasingly under attack from cyber-crime.
In order to combat these more effectively, 75% of companies have implemented new security measures. The top four measures are staff training and awareness (56%), putting in place a new organisation by appointing a Chief Information Security Officer (CISO) or Data Protection Officer (DPO), etc (35%), applying a new access rights policy, (31%), and data encryption (16%).
2 - Cyber-insurance
Only 24% of respondent companies have taken out insurance against cyber-security. And yet, warns Deloitte, the proliferation of cyber-attacks means companies should adopt new approach to cyber-security. They recommend a cyber-security policy based on two approaches: anticipating attacks to ensure business continuity, and choosing a cyber-insurance policy.
The differnet risk coverage options currently available are for loss of personal data (42%), intellectual property protection (32%), viruses and ransomwares (24%), the company’s brand image (20%) and security incidents (15%).
3 - Human error
63% of cyber-security issues are caused by an employee: an organisation’s IT system is thus vulnerable to the malevolent or accidental acts of its staff. Other sources of incidents are suppliers and partners (15%) and former employees (12%), (the remaining 10% come under “other”).
Companies are thus encouraged to increase awareness of security issues among their staff. They could also limit access rights to the IT system. Either way, any such policy requires input from Management to define roles and responsibilities and organise training.
4 - Cyber-security technologies
Cloud and SaaS-based security services, using data for monitoring and strong authentication for access to sensitive applications are the three main technologies identified by Deloitte.
Cloud providers are thus offering more security and data protection guarantees. Cloud architectures also offer substantial data storage and processing capabilities, which is essential for handling security events.
And as passwords are no longer enough, alternative log-in methods for critical applications and data are being used. For 31% of the companies interviewed, using a second authentication method (SMS, biometrics, etc.) for employees or third parties (suppliers, clients) is a way of significantly reducing the risk of fraud, whilst improving the user experience.
5 - New regulations
The implementation of stricter legislation for personal data protection, most notably GDPR, has forced companies to adapt and plan ahead.
The main regulations coming into force in 2018 are:
- GDPR (General Data Protection Regulation), which comes into force in Europe in May this year, forces organisations to ask for people’s consent with respect to using their data. According to the Deloitte survey, 91% of respondent companies have already taken steps to ensure GDPR compliance.
- PSD 2 (Payment Services Directive), which came into force in Europe on 13th January 2018, sets down the rules governing the new players in the payment market (FinTechs). Information gathering and payment are now subject to specific security measures (API security, strong authentication, etc.).
- The SWIFT security programme, which has been in force since January 2018, includes a set of mandatory security standards for members of the network. Each SWIFT member must from now on submit self-attestation data on the three key requirements of the programme ('Secure your Environment', 'Know and Limit Access', and 'Detect and Respond').