While 50 nations and 150 global companies gathered in Paris last week to boost the call for better cybersecurity, European IT security professionals this week are registering their concerns that the region isn't ready for an anticipated attack on critical infrastructure.
The 2018 Black Hat Europe Attendee Survey, published Wednesday, offers a sobering look at the state of cybersecurity defenses in Europe, bolstering the Paris meeting's conclusion that greater efforts are needed to protect data and infrastructure across national boundaries.
Nearly two-thirds (65%) of security pros in Europe believe a successful cyberattack affecting the critical infrastructure of multiple EU nations will occur in the next two years, according to the Black Hat report. The survey of 132 high-level information security leaders was released in advance of the Black Hat Europe conference, which will take place in London Dec. 3 to 6.
"Vital infrastructure is way behind on the cyberthreats," said one Black Hat survey respondent. "[Attackers] are often still hiding behind obfuscation techniques instead of [infrastructure] actually being secure."
Another respondent agreed. "We have reached the point where it is possible to cause mass destruction by cyberattack," the respondent wrote. "This is a very worrying thing, as certain individual actors may cause large amounts of damage."
This level of concern, which has changed very little since the 2017 Black Hat Europe Attendee Survey, mirrors similar concerns voiced by North American security pros in the Black Hat USA 2018 survey, in which 69% of respondents said they believe US critical infrastructure will suffer a breach in the next two years. And in each case, security pros are doubtful that their regional governments are prepared to respond to such a breach. Only 15% of US respondents believe the US government and private-sector entities are ready for imminent critical infrastructure attacks; 18% of EU respondents believe their regional governments are sufficiently prepared.
Interestingly, two of the largest countries that declined to sign the Paris accord – Russia and China – are among the countries that European security pros fear most. According to a plurality of those surveyed (30%), the top threat to critical infrastructure is posed by large nation-states like Russia and China. Their concern also extends to their own environments; more than half of survey participants said they believe recent activity from Russia, China, and North Korea has made European enterprise data less secure.
And concerns are not limited to critical infrastructure. Some three-quarters of European security pros said a major data breach will occur in their own organizations in the coming year. Only about a quarter of respondents said such a breach is unlikely to occur.
In the area of privacy, European security leaders have a similar lack of confidence that current regulations – including GDPR, which went into effect in May – will prevent the loss and misuse of personal information, such as what Facebook experienced earlier this year.
A solid 70% of European security pros said their organizations have dedicated resources to GDPR initiatives. Yet only slightly more than a third are confident in their organizations' state of GDPR compliance. Interestingly, while 85% of those surveyed think that GDPR will help at least a little in protecting individuals' privacy, fewer than one in four think that impact will be substantial.
Like the participants at the Paris accord, many of the survey respondents called for a shift in security culture, both in organizations and among end users.
"There's too much focus on technological solutions and experts, not enough focus on getting organizations and individuals to adopt secure processes and behaviors," commented one respondent. "Prevention is better than detection and cure."
Another concurred: "Business is segmented, [which] leads to a mindset that security is the responsibility of someone else – and the security controls put in place to provide security are obstacles to be avoided, rather than embraced."
Many of the European security pros continued to register concern about the shortage of trained cyberstaff in their organizations. Fewer than half of European security leaders said their organizations have enough staff to respond to the threats they expect to encounter in the next 12 months.
"No company is staffed appropriately for security," one respondent said. "In my group, we have one security practitioner for each 107 software developers. That's an impossible ratio. Imagine 107 people creating dirty rooms, and one person responsible for cleaning each room – mission impossible. We need education, tooling, [and] technology to begin influencing software engineers to write more secure code."
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.