In Italy, €1.19 billion in security was spent in 2018 (75%) by large companies, which launched adaptation projects to the Gdpr. Overall 23% of companies have already adjusted, 59% have ongoing projects, 88% have a dedicated budget. The Data Protection Officer is present in three out of four companies and one in two has inserted a Chief Information Security Officer.
These are the main data of the research of the Information Security & Privacy Observatory of the School of Management of the Politecnico di Milano.
For Alessandro Piva, Director of the Information Security & Privacy Observatory, • We are facing a disruptive process regarding security management, which will pose major challenges in the coming months and years. Organisations are called upon to internalise adaptation mechanisms and develop instinctive rules, to be combined with tools, processes and competences.
With cyber attacks in exponential growth, Italian companies increase their investments in risk prevention.
The Italian market for information security & privacy solutions in 2018 reached a value of €1.19 billion, rising by 9% (after +12% registered in 2017). Large companies, with 75% of total spending, focus on adaptation to the Gdpr and more traditional security components (such as Network Security, Business Continuity & Disaster Recovery, Endpoint Security). 63% of large companies have increased their cybersecurity budget and 52% have a multi-annual investment plan, although almost one in five still does not provide for dedicated investments or allocates resources only if needed.
The measure of the Gdpr effect
For the adaptation to European data protection legislation, the GDPR 88% of companies dedicated a specific budget in 2018 (it was 58% a year ago).
Almost one in four companies has already completed the adjustment process to the Gdpr, while 59% have structured projects still in progress.
And with investments, dedicated professional figures increase: the Data Protection Officer is now present in 71% of companies (+16%), the Chief Information Security Officer in 59%, while more and more emerging profiles such as the Cyber Risk Manager, the iconic
Attention is growing for new technologies such as artificial intelligence, which has been considered a threat for only 14% of companies, while 40% already use it to prevent potential threats and fraud and manage response to security incidents.
Innovative actors are born that propose information security & privacy solutions: 417 startups at international level, for a total of $4.75 billion of investments collected.
What cyber attacks point to
The main purposes of cyber attacks suffered by companies in the current scenario are scams, such as phishing and compromised business email (83%), and extortion (78%), then intrusion for espionage purposes (46%) and interruption of service (3
But in the next three years companies fear mainly espionage (55%), scams (51%), influence and manipulation of the public (49%), acquisition of control of systems as production facilities (40%).
The main targets of the attacks are today email accounts (91%) and social (68%), followed by eCommerce portals (57%) and websites (52%). In the next three years, companies expect hackers to focus on mobile devices (57%), critical infrastructure such as electricity, water and telecommunications (49%), smart home & building (49%) and connected vehicles (48%).
The main vulnerability is human behaviour: for 82% of enterprises the first critical issue is distraction and low awareness of employees, followed by outdated or heterogeneous IT systems (41%) and updates and patches not performed regularly (39%). To minimise risk, 80% of companies have started training plans for staff.
For Gabriele Faggioli, Scientific Manager of the Information Security & Privacy Observatory , there is an unprecedented acceleration of the number and variety of attacks and the companies do not seem adequately prepared. Investment in recent years is a good basis for starting up, which has enabled organisational structures, procedures and competences to be put in place, but greater pervasiveness of security initiatives at all levels of management and organization of companies is needed and greater involvement of profiles dedicated to