IT security: regulation has its effect

IT security: regulation has its effect Cybersecurity

To motivate companies to take better account of security-related issues, there are obviously two solutions, the stick … or the stick. As the authors of the report “IT Threats and Security Practices” (MIPS) write: “for companies with more than 100 employees, if it is clear that the overall level of maturity continues to evolve“ quietly ”, this evolution is more linked to existing obligations (legal, regulatory, contractual) than to the actual consideration of the importance of information security. ”

To unlock new budgets dedicated to security, we therefore come back to the two long-proven methods: regulation (we are thinking in particular of the NIS directive which recently entered into force, but the GDPR and the LPM for operators of vital importance are also cited) or being the victim of an attack. Regulations and contractual requirements are by far the most frequently cited reason for organizing security audit in companies (59% of respondents) and 73% of respondents consider themselves to be in compliance with the GDPR, with 57% companies with a DPO (Data Protection Officer).

The RSSI better identified

The report evokes from the very outset the question of budgets allocated to security: “56% of budgets allocated to information security are fully challenged each year” and only 8% of security budgets can boast of have been “sanctuarized”.

However, there is a progression: the role of the RSSI is today much better identified, with 72% of companies with an information systems security manager against 58% in 2018, the date of the last study. A significant development both in companies with more than 2,000 employees and in smaller structures with between 100 and 499 employees. The RSSI is also more and more frequently attached to the group’s general management, and in more and more cases, it has a team attached to its position.

IT security: regulation has its effect

In terms of tools and solution, the study highlights the fact that while solutions aimed at protecting the user’s workstation are now well in place, mobile solutions remain on average not very deployed: 100% of companies say they have generalized the deployment of antivirus, but only 25% deploy protection tools for phones and tablets. If “mobility is increasingly taken into account” as the authors of the study note, the room for improvement in this area remains significant. The use of cryptographic tools fell slightly (-2%), but authentication and access control technologies are all on the rise, except biometrics.

Regarding the threats identified by companies, the most frequently cited causes of security incidents are the loss of essential service (electricity, water, telecom) cited by 29% of respondents, internal, hardware or software failures, resulting in system unavailability (29%) and virus infections without the company being specifically targeted (22%). Sophisticated computer attacks targeting businesses precisely are nonetheless cited by 11% of respondents.
The CLUSIF MIPS study is carried out every two years and involves a survey of 350 companies with more than 100 employees. Two other parts of the study relate more specifically to local authorities and individuals.


Rate article