Heightened Focus on Security Risk

​Cybersecurity spending is up and legislation is looming in the face of increased threats.

Comments Views

​IT research firm Gartner Inc. forecasts that worldwide spending on IT security will top $86 billion this year, up 7 percent from 2016. That spending is expected to reach $93 billion next year, Gartner estimates.

Security services, including IT consulting, implementation services, and outsourcing, is the fastest-growing segment. Gartner predicts 40 percent of managed security service contracts will be bundled with other security services and broader IT outsourcing projects by 2020. That's twice the current percentage of such bundles today.

"Rising awareness among CEOs and boards of directors about the business impact of security incidents and an evolving regulatory landscape have led to continued spending on security products and services," says Sid Deshpande, Gartner's principal research analyst.

One growing area of cybersecurity risk is internet-connected medical devices, a Deloitte poll notes. In a May survey of 370 professionals working with medical Internet of Things (IoT) devices, 35 percent reported their organizations had experienced a cybersecurity incident in the past year. The respondents were participants in a webcast on medical devices and the IoT, and represented medical device manufacturers, health-care IT organizations, device users such as health-care providers, and regulators.

IoT devices in health care often store data such as sensitive patient information. That's made them targets of botnet attacks and ransomware schemes.

Thirty percent of Deloitte poll respondents said identifying and mitigating the risks of connected devices is their industry's biggest cybersecurity challenge. Moreover, just 18 percent of respondents said their organization is very prepared to address litigation, internal investigations, or regulatory matters related to medical device cybersecurity incidents in the next 12 months.

"As regulatory, litigation, and internal investigation activities start to focus on post-market cybersecurity management, leading organizations are taking a more forensic approach to discerning the time line and size of cyber incidents so the impact to intellectual property, client data, and other areas can be addressed more quickly," says Scott Read, risk and financial advisory principal with Deloitte Transactions and Business Analytics LLP.

Pressure to meet regulatory obligations to ensure cybersecurity protections may grow soon with the introduction of two cybersecurity bills in the U.S. Congress. One Senate bill, the Internet of Things Cybersecurity Improvement Act of 2017 (PDF), would require all IoT devices sold to the federal government to be capable of having security patches installed by users. Currently, many IoT devices have security measures such as pre-installed passwords that cannot be changed easily. The idea behind the bill is that IoT device manufacturers would include protections to meet the federal government procurement standards in all the devices they sell.

Another Senate bill focuses specifically on medical devices. The Medical Device Cybersecurity Act of 2017 would require medical device manufacturers to test their products' cybersecurity before they are sold. It would mandate safeguards for remote access to devices and seek to make cybersecurity updates free of charge.

Of course, regulation on its own won't protect IoT devices or corporate networks from cybersecurity incidents. Increasingly, there is a need for corporate boards to provide leadership on cybersecurity preparedness and response. But board members may not be ready to do so yet.

Among the 105 company boards that responded to the U.K. government's FTSE 350 Cyber Governance Health Check Report 2017 (PDF), 10 percent say their organization doesn't have a plan in place to respond to a cybersecurity incident. Also, 68 percent of board respondents say they haven't received training on how to address a cybersecurity incident.

Boards appear to know what's at stake, with 57 percent reporting they clearly understand the potential impact that could result from a loss or disruption of key data assets. More than half (54 percent) say they view cyber risk as a top risk.

One concern for these boards is their company's readiness to comply with the EU General Data Protection Regulation (GDPR), which takes effect in 2018. Only 6 percent say their company is completely prepared to meet the GDPR requirements, but 71 percent say they are somewhat prepared.

While boards are still catching up with the GDPR requirements, Gartner reports that businesses are paying up to ensure they can comply. It predicts GDPR will drive 65 percent of data loss prevention buying decisions between now and 2018.


Tim McCollum
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author

 

 

Tim McCollumTim McCollum<p>​​​​Tim McCollum is <em>Internal Auditor</em> magazine's associate managing editor.​​</p>https://iaonline.theiia.org/authors/Pages/Tim-McCollum.aspx

 

Comment on this article

comments powered by Disqus
  • MNP_Nov 2017_Prem 1
  • IIA Bookstore_Nov 2017_Prem 2
  • IIA EndOfYear CPE_Nov2017_Prem 3