The new EU Directive on Cyber Security is going to have a huge impact on all organisations that trade in the EU. The Directive states that any organisation that does not have their cyber security in order and suffers a security breach will face extremely heavy fines of up to 2% of their annual global turnover. This means for large enterprises or banks, fines could run into millions or billions of pounds.

The following link gives details on Global 500 companies annual global turnover and revenue:  http://money.cnn.com/magazines/fortune/global500/index.html

Based on this information, we have calculated the following:

  • Royal Dutch Shell has a global revenue of $481.7 billion so the fine could be as high as $9.634 billion
  • Wal-Mart which owns Asda in the UK has global revenue of $469.2 billion so the fine would be as high as $9.384 billion which is over half of their profit for 2013
  • BP has a global revenue of $388.3 billion so the fine could be as high as $7.766, which is over three quarters of their profit for 2013
  • Apple has a global revenue of $156.5 billion so the fine could be as high as $3.130 billion
  • Ford has a global revenue of $134.3 billion so the fine could be as high as 2.686 billion, almost half of the annual profit for 2013
  • JP Chase Morgan has a global revenue of $108.2 billion so the fine could be as high as $2.164 billion

However, despite these worrying figures, recent research from Tripwire and the Ponemon Institute has revealed that many industries are seriously behind in terms of IT security and risk facing extremely heavy fines when the Directive comes into action. Findings from the survey include:

  • 28 percent of organisations do not have a formal risk management strategy applied consistently across the entire enterprise
  • Only 5 percent have a mature risk-based security management program
  • The most significant barriers limiting the adoption of effective risk-based management activities within their organisation are:
    • 34 percent said insufficient resources or budget
    • 18 percent said lack of C-level support or buy-in
    • 48 percent said lack of skilled or expert personnel
    • Only 51 percent assess risks
    • Only 58 percent assess vulnerabilities
    • Only 58 percent identify threats
    • Only 13 percent of organisations have regularly scheduled meetings with senior executives to discuss the state of the security risk with senior management
    • 25 percent do not communicate security risks to senior executives
    • 37 percent only communicate security risks to senior executives when a serious  security incident occurs
    • 49 percent believe they are not effective at communicating the facts about the state of security to senior executives, because:
      • 59 percent say the information is too technical to be understood by non-technical management
      • 55 percent say negatives facts are filtered before being disclosed to senior executives and the CEO
      • 14 percent say senior executives are not interested in this information
      • 36 percent say it takes too much time and resources to prepare reports to senior executives

These figures highlight the fact that many organisations are seriously behind in terms of IT security and, if they don’t get themselves in order, they are going to be suffering some extremely heavy fines when the Directive comes into force.

– Lucy

Advertisements