Black Hat's latest research report, entitled ‘The Cyber Threat In Europe’, publishes the findings from a September 2017 survey of nearly 130 IT and security professionals from more than 15 European countries. The report details major concerns among the Infosec community including critical infrastructure security, nation state attacks, enterprise security risks, and the implications of the NIS Directive and GDPR requirements.
Almost half of the respondents cite a foreign power (terrorist organization, rogue nation or large nation-state) as the primary threat to Europe's critical infrastructure. 42 percent also attribute the biggest threat to cyber espionage by major nation states. Most respondents are primarily worried about a multi-country breach rather than a critical infrastructure breach limited to their own country. These fears are heightened as a result of previous events, including the 2015 and 2016 Ukraine power grid attacks.
What role are the NIS Directive and GDPR requirements playing?
Only 11 percent believe that implementing the NIS Directive – the first Europe-wide legislation on cybersecurity – will make Europe's critical infrastructure more secure. Meanwhile, nearly 40 percent believe that a lack of required skills is the primary reason why security strategies fail, and the shortage is only being exacerbated by GDPR requirements at many organizations. Another 34 percent believe that implementing GDPR will add to the IT workload and budget, but won't have a major impact otherwise.
Why are organizations at risk?
65 percent of the respondents believe that they will have to respond to a major security incident within their organization in the next 12 months. Driving this thought is a lack of budget and staffing. Nearly 60 percent of the respondents say they do not have enough of a security budget to mount an adequate defence, while 62 percent say they do not have enough security staff to defend against modern cyber threats. Additionally, 62 percent fear that enterprise data in Europe has become less secure because of recent activities in Russia and China. 42 percent believe that European law should be changed so enterprises can take offensive action against attackers, suggesting that professionals are frustrated over the ability of attackers to go unscathed while governments grapple over questions of attribution and proportional response.Download a copy of the report (PDF).