The attention of Italian companies for IT security is growing, in a very difficult year on this front, amidst the discovery of the violations of 500 million Yahoo accounts and the alleged cyberespionage actions during the US presidential elections. In 2016, the information security solutions market in Italy reached 2016 million euros in 972, up 5% compared 2015, with a expenditure concentrated in large companies (74% of the total) divided between technology (28%), IT integration services and consultancy (29%), software (28%) and managed services (15%).
This was stated by the Information Security & Privacy Observatory of the School of Management of the Milan Polytechnic, presented on Thursday morning at the conference "Cyber Crime: The invisible threat that changes the world”. According to the study, although awareness is growing, in the face of the new challenges posed by the development of technologies such as the Cloud, Big Data, the Internet of Things, Mobile and Social, a long-term approach to managing security and privacy is not yet widespread. with a clear governance structure: only 39% of large companies have an investment plan with a multi-year horizon and only 46% formally have the figure of Chief Information Security Officer, the managerial profile in charge of security.
"Cyber crime is a concrete, though often invisible, threat capable of influencing the world, as demonstrated by the daily news stories, which requires new tools and models to deal with it - says Gabriele Faggioli, scientific director of the Information Security & Privacy -. The new digital innovation trends such as Cloud, Big Data, Internet of Things, Mobile and Social require new answers that can no longer be postponed. The new European Regulation on the Protection of Personal Data creates some of the preconditions necessary to arrive at a reference framework, which however requires to be understood and implemented. The Information Security & Privacy management path requires companies to put in place suitable governance models, planning and solutions to face the transformation”.
As Alessandro Piva, Director of the Information Security & Privacy Observatory explains, "If we analyze the research data more deeply, in fact, we realize how large Italian organizations are still behind: more than half do not yet have a codified managerial figure for IT security management, highlighting an important gap compared to what happens in other countries. Furthermore, there is a delay in understanding the implications of digital innovation trends such as Cloud, IoT, Big Data, Mobile, on security management. In the current context, more mature and transversal governance models are needed, ensuring the correct mix of skills to manage increasingly pervasive technologies. And it is necessary on the one hand to design systems capable of predicting possible attacks, on the other to develop awareness programs for users, in order to promote responsible behaviour”.
The projects
The security projects of Italian companies in the field of security are mainly oriented towards identifying risks and protecting against attacks, while support for event detection and then response and recovery is still immature. In fact, the most popular projects among large companies are penetration tests and data security (51%), network security (48%), application security (45%), endpoint security (43%), security information & event management (SIEM ) (38%), messaging security (38%), web security (36%), identity governance & administration (IGA) (32%), threat intelligence (20%), transaction security (19%), social media security ( 16%).
The most present policies, on the other hand, concern backup (89%), the management of logical accesses (84%), the regulation of IT security policies (80%), the management and use of company devices (72%), the data lifecycle management (58%), the use of social media and the web (57%), the actions to be implemented in response to IT incidents (52%), data classification policies (52% ) and their encryption (39%).
Mobile
Almost all Italian companies (97%) make mobile devices available to their employees, including notebooks, smartphones and tablets and mobile business apps, with risks not only for the possible theft or loss of mobile devices, but also for the possible targeted cyber attacks. 74% of Italian companies have specific initiatives to mitigate the risk associated with Mobile Security, which concern both the introduction of specific technological platforms and tools such as MDM (Mobile Device Management) solutions to limit the use of mobile devices (61% ), and the standardized and conventional definition of rules that device users must follow when accessing business systems and data. 27% of organizations have established regulations that limit access to particular applications and services from networks outside the company and 61% have established specific policies for the use of mobile devices.
Cloud
The main risks for cloud environments depend on the relationship with the supplier: the most important threat for 63% of companies is the lack of control over the operations of the service provider, for 44% rock in with the supplier and data breach, for 41% lack of transparency with respect to contractual obligations with the supplier. It is therefore clear that it is no longer the technological threats that concern companies but ever greater attention must be paid to the drafting of the contract and the management of the relationship with the providers.
IoT
With the development of the Internet of Things, the number of devices connected to the network and the possible access points for an attack on the corporate information system increase. 47% of organizations have not yet implemented any action to protect themselves in this area, 41% are evaluating possible actions, 13% have security by design policies in product design (securing with measures such as monitoring the use of credentials and better programming practices), 10% use specific technological solutions, 9% have policies on the collection of data within the corporate perimeter and 5% for the management of data collected by smart objects.
Cyber intelligence
Cyber threats are increasingly becoming an integral part of the corporate digital fabric and it is not possible to avoid a security breach 100%, so alongside the traditional approach based on systems protection, companies are beginning to adopt a logic of anticipation of threats. The analysis of data related to the world of information security is overseen by 57% of organizations through formal or informal oversight, for 8% there is oversight outside of core information security activities, in 35% it is not manned.
32% of companies do not use data to interpret or anticipate critical issues, while the remaining 68% have started actions in this area. The integration of data from various sources (worldwide incident data, IP addresses, logs, suspicious URLs from user reports, etc.) makes it possible to develop threat monitoring models, capable of intercepting possible anomalies and manage them before the situation actually becomes critical. In some companies there are special structures within the Security Operation Centers, which analyze and correlate the data from a Cyber Intelligence perspective.
Insurance
The cyber risk insurance market is still immature in Italy. Cyber risk coverage is aimed at covering damages caused directly to the subscriber or to third parties, from the investigation and management of events, to the management of preliminary investigations, to damage coverage. Only 15% of companies already have insurance coverage active, although only in just over half of the cases (8%) these are policies expressly oriented towards Cyber risk, while in the remaining cases they are general coverage that offers it as a condition . 29% are evaluating insurance coverage, while 32% do not consider the cyber insurance market mature enough or do not consider the problem relevant.
The X factor
In safety factor X is fundamental, the element of uncertainty linked to human behavior, such as distraction or lack of awareness, often used by cybercriminals to breach corporate systems. 95% of Italian organizations have already launched specific actions to raise awareness among corporate users. The most widespread initiatives concern periodic communications sent to employees by email (77%) and training courses through classroom sessions or e-learning (66%). In 28% of cases, training is also supported by the spot distribution of information material (vouchers, booklets, posters). For 28% of organizations these are real structured awareness projects using various tools and often cover a multi-year horizon. Vulnerability assessment activities are also carried out on company employees (28%), for example by sending fake phishing emails or computer attack simulations, which serve on the one hand to measure the level of employee awareness, on the other to test the effectiveness of the initiatives already carried out.
SMEs
The analysis on the diffusion of information security solutions among about 800 small and medium-sized Italian enterprises reveals that 93% of SMEs dedicated a budget in 2016, although this does not necessarily correspond to a mature and conscious use. In fact, the main reasons for investments are regulatory compliance (48%) and attacks suffered in the past (35%), but sometimes they follow the need to respond to new technological (22%) or business (31%) needs. Most SMEs have basic security solutions (76%) such as antivirus and antispam and 62% declare that they also have sophisticated solutions, such as firewalls or intrusion detection systems. However, one in four organizations (25%) is guided by common sense, without a defined technological approach. 46% have well-defined company policies, while only 10% have training programs aimed at increasing awareness. The approach to security in SMEs is mainly oriented towards identification (66%) and protection (66%), much less towards detection (12%) and response (15%). Attention to the survey grows as the size of the enterprise increases, going from 11% of small enterprises to 20% of medium-sized ones.
"SMEs seem to underestimate the growth of risk awareness among their employees – notes Alessandro Piva -. Only 9% of small companies (between 10 and 49 employees) have specific training programs to increase resource awareness of IT risks, while the relevance of awareness actions grows with the increase in company size, reaching 20 % for medium-small companies (between 50 and 99 employees) and 24% for larger companies (between 100 and 249 employees)”.
