1.19 billion euros: this is the absolute value of the investments made by Italian companies in cyber security and privacy according to the latest research by the Information Security & Privacy Observatory of the School of Management of the Politecnico di Milano.
A 9% increase over the previous year, probably in the wake of the introduction of the GDPR in May 2018. The trend is determined above all by the investments of large companies, which alone account for 75% of total expenditure, focusing essentially on compliance with the Gdpr and the more traditional security components, from Network Security to Business Continuity & Disaster Recovery and Endpoint Security.
According to the research results, 63% of large companies have increased their cyber security budget, while for 52% this chapter there is a multi-year investment plan: in any case, there is still one company out of 5 that does not provide for dedicated investments, or allocate resources only in case of need.
To adapt to the GDPR, 88% of companies have dedicated a specific budget to adapting to the GDPR: thanks to this one in four has already completed the adaptation process, while 59% have ongoing projects. Recall that the GDPR also provides for the introduction of new professional figures such as the Data Protection Officer who is now in 71% of companies, with a +46% compared to 2017, and the Chief Information Security Officer who is in almost two out of three companies. The past year has also seen the emergence of hitherto little-regarded professions such as Cyber Risk Manager, Ethical Hacker and Machine Learning Specialist.
“The market for information security and privacy solutions is dynamic, with awareness and growing budgets, even if not at the same pace as 2017 – says Gabriele Faggioli, scientific director of the Information Security & Privacy Observatory – But at the same time there is an unprecedented acceleration in the number and variety of attacks and companies do not seem adequately prepared. The investments made in recent years are a good starting point, which has made it possible to put in place organizational structures, procedures and skills, but there is a need for greater pervasiveness of security initiatives at all managerial and organizational levels of companies and a greater involvement of security profiles in business strategies”.
The use of emerging technologies for cyber security is growing: this is the case of artificial intelligence, used by 40% of companies to prevent attacks, threats or fraud.
To date, companies see artificial intelligence more as an opportunity than a challenge. Only 14% of the sample believe it may pose a threat, mainly because of the long-term unreliability of machines and the possibility of using them to conduct targeted attacks, while 64% believe it is useful to automate the process of data collection and analysis to identify threats and vulnerabilities in advance and 17% to make decisions in support or in place of humans. This interest translates into concrete projects, with 40% of companies already using AI or Machine Learning techniques to prevent potential threats and identify attacks even before they occur (17%), to optimize the management of possible security incidents by automating the decision-making process and response time (15%) and to intercept possible fraud (8%). 36% of the sample is planning to adopt artificial intelligence solutions in the near future.
But what are the main objectives of cyber criminals? Most of the attacks launched in 2018 can be grouped under the umbrella of scams, from phishing and business email compromise (83%) to extortion (78%). But there is no shortage of espionage intrusions (46%) and service interruptions (36%). However, analyzing which are the attacks that will grow more impetuously in the future, the fears of companies are mainly espionage (55%), fraud (51%), influence and manipulation of public opinion (49%), acquisition of control of systems such as production plants (40%).
“Today it is necessary for organizations to adapt to change to avoid being overwhelmed by it – adds Alessandro Piva, director of the Information Security & Privacy Observatory – We are facing a disruptive process in terms of security management, which will pose significant challenges in the coming months and years. Organizations are called upon to internalize adaptation mechanisms and develop instinctive rules, to be combined with tools, processes and expertise, to address this challenge and react proactively to the threats they will face”.
All rights reserved