What We Learned from Infosecurity Europe 2019: GDPR, Budgets, and People Problems
Infosecurity Europe 2019 has come and gone this week, highlighting new broad industry trends, re-examining security specifics and challenging existing thinking. We take a look at the big research, trends and issues to have been raised over the last week.
Infosecurity Europe’s regular attendee polls are a feature of the event, with keynote delegates on day one stating that the majority - 70 per cent - are expecting an attack on the UK’s critical national infrastructure this year.
A longer-term Infosec poll found that a majority of companies (68 per cent) have not taken the EU General Data Protection Regulation (GDPR) seriously and are still not compliant. Delegates also believe that watchdogs should toughen up, with almost half (47 per cent) agreeing that GDPR regulators are being too relaxed when it comes to enforcing standards. An Infosecurity Europe twitter poll revealed that just over a third (38 per cent) believe that GDPR compliance has dominated their organisation in the last 12 months and hindered their plans for other cybersecurity projects.
The numbers kept coming throughout Infosec Europe 2019, with an interesting survey on the reach and prevalence of insider threats by Deep Secure throwing up some concerning results. Nearly half of British workers would be willing to sell corporate data to external parties and one in four would do so for just £1,000. The survey of 1,500 people took an even darker turn however, finding that while the majority of ‘insiders’ used the obvious techniques to exfiltrate data, such as printing, photos or USB drives, eight per cent of ‘insiders’ said they had used some kind of covert cyber tool. While this percentage rose to an unsurprising 13 per cent in the IT and telecoms industry, a whopping 15 per cent in HR are using covert data exfiltration tools, according to the research.
Infosec’s keynotes always draw a big crowd with some big-hitting names, and 2019 was no different, with former Lloyd’s of London chief Dame Inga Beale taking to the rostrum to add context to the business perception of cyber threats. “We now talk about cyber as one of the biggest risks businesses are facing,” she told attendees. “From a risk management perspective, it’s one of the hottest topics, but also the one we know the least about.”
Beale also spoke of the potential value of cyber insurance, but also pointed to a lack of maturity in the space, as well as the challenges of plotting accurate data in such a fast-changing threat landscape. “[The insurance sector] needs data, because we need to run the scenarios to work out how much we should charge,” she said. “If we can connect the tech sector, the security sector and the insurance sector, [the UK has] got an unrivalled package to go out and cement our place as the leading centre for people to come for [these services]," she told delegates and reporters from New Statesman Tech.
The second of Infosecurity Europe’s daily visitor polls asked keynote attendees the question: In 2019, have you experienced difficulties in getting investment from the board to secure legacy systems while embracing new technologies? A worrying 57 per cent said that they had.
That budget squeeze has not been kind to IT security personnel, according to another survey, which found that 70 per cent have considered quitting because they do not have enough resources to manage the surge in attacks. Half of the security workers surveyed said that staff shortages were the biggest threat to business security.
Although 57 per cent said that alert overload was a significant issue - potentially due to an average of 33 pieces of software in use - 65 per cent said they thought new technology might hold a solution, with 86 per cent believing that increased automation would deliver benefits.
Ed Macnair, CEO of cloud security company Censornet, which commissioned the survey, told CloudPro: "It's no secret that companies of all sizes have been having a hard time finding qualified personnel to manage their often-overwhelmed security operations."
"Until now, humans have been limited by their inability to see across multiple point products and correlate information - without huge amounts of manual work.
"Automating activity such as repetitive low-level tasks usually undertaken by a human can free up limited analyst resources to focus on more advanced tasks, helping to close staffing and expertise gaps and also help stave off cyber fatigue. It is taking the security industry beyond events and alerts and into 24x7 automated attack prevention."