European businesses not seeking help from the security industry ahead of GDPR

European research by PAC and Reliance acsn has outlined the challenges and concerns that security professionals across Europe are facing and how they approach the serious issue of outsourcing functions. One of the key findings of the report was that compliance and GDPR were not seen as important reasons for employing third party security firms, despite the need for detailed knowledge to comply with regulations.

When first appointing an MSSP, cost savings are overwhelmingly listed as a factor, probably influenced by C-Suite demands

The role of Managed Security Service Providers

With just over 12 months to go until GDPR becomes active, the research indicated very little awareness of how Managed Security Service Providers (MSSPs) could support businesses to comply with the EU legislation.

“We need to consider the fact that GDPR is a year away, and it’s now crunch time for companies. We all have to make sure we are ready, and using a MSSP can certainly improve how quickly you get prepared for it. I think we will see even more companies move towards a managed service model for their security infrastructure going forward. For many companies, it just makes perfect sense,” said Richard Henderson, Global Security Strategist at Absolute.

Only 20% of respondents said it was a good reason to employ an MSSP, highlighting the need to educate businesses on the crucial role MSSPs can play in achieving compliance.

“While MSSPs can provide a range of technical services to their clients to assist them improve their cyber security posture and capabilities, it is important to remember that the GDPR is a privacy focused regulation. While securing the information entrusted by individuals to an organisation is important the privacy aspects of how to manage that data are equally important and should not be overlooked. Key to complying with the GDPR is for organisations to understand where personal data, both in physical and electronic format, are stored and processed. Once that is understood then the organisations can look at ways to better protect that data which could very well include the services of an MSSP. Without taking the crucial step of understanding what personal data the organisation holds engaging an MSSP alone will not achieve compliance with GDPR and is very much putting the cart before the horse,” Brian Honan, CEO at BH Consulting told Help Net Security.

Cloud is universally adopted but the security concerns have not gone away

Key drivers of digital transformation

Key drivers of digital transformation – including cloud, mobility and IoT – are the biggest source of security concerns for European organisations. 50% of respondents see digital transformation in itself as a security risk.

“Cloud services offer rapid scaling and rapid time to service which means cloud services are here to stay. The challenge is that assessing the security of a cloud service provider depends on two factors: what data is being protected and the size of the cloud service provider,” said Mark Sangster, VP and Industry Security Strategist at eSentire.

“Cloud service providers focus on protecting their systems, infrastructure, and their own data. Their liability does not extend to circumstances where user credentials of a cloud client are absconded in a way that did not come from the CSP itself. For example, the CSP is on the hook if they are hacked and client log in details or personal data is made public; however, the CSP is not on the hook if the client is phished and surrenders their credentials, which are then used by the hacker to access the cloud service and obtain non-public information,” Sangster concluded.

GDPR will have an increasing influence over all security investment in the coming years

“Cybersecurity is a rapidly growing problem and a growing area of focus for the board. This report has shown that organisations are considering moving some operations in-house and that cost reductions are still the top driver for employing MSSPs, even in the face of major shifts, such as GDPR. Ultimately, organisations need to focus first on securing their critical assets and to do this properly a managed end-to-end security approach is needed. This is challenging to handle alone, not just for in-house IT departments but also for MSSPs. As a result we expect to see closer partnerships with our customers in a more integrated fashion in order to safeguard the business against cyber threats, said John Madelin, CEO at Reliance acsn.