The directive, which was adopted in July this year, will require that organizations circulate early warnings of cyber risks and incidents, and that actual security incidents are reported to cyber security authorities. Organisations that suffer a breach because they do not have sufficient IT security in place to protect their digital assets face fines of up to two percent of their annual global turnover.
However, a Ponemon Institute and Tripwire study, which looked at security management of 1320 IT security professionals working in healthcare and pharmaceuticals, financial services, the public sector, retail, industrial, services, technology, software and communications or education and research, revealed that most organisations are under prepared for the Directive and therefore at risk of being fined millions of pounds.
The overall findings from the survey were:
- 28 percent of organizations do not have a formal risk management strategy applied consistently across the entire enterprise
- Only 5 percent have a mature risk-based security management program
- Only 51 percent assess risks
- Only 58 percent assess vulnerabilities
- Only 58 percent identify threats.
Other findings revealed that:
- Only 13 percent of organizations have regularly scheduled meetings with senior executives to discuss the state of the security risk with senior management
- 25 percent do not communicate security risks to senior executives
- 37 percent only communicate security risks to senior executives when a serious security incident occurs
- 49 percent believe they are not effective at communicating the facts about the state of security to senior executives.
“This Directive is an excellent reminder that adopting a recognized set of security controls can significantly accelerate the implementation of a reliable security strategy,” said Melancon, “Organizations looking to improve security practices can also access a wealth of practical information through peer groups such as sector-specific ISACs (Information Sharing and Analysis Centres) where they can share methods and practices to improve their chances of achieving strong outcomes for cyber security.”