BlackHat Europe 2018: Shift Security Culture

Updated: Apr 12, 2020

Black Hat Europe (An organization which briefs the latest trend in information security in one of the biggest security conference in the year), surveyed its attendees and the results were quite interesting. Cybersecurity leaders seem unsure of their ability to protect end-user

data and they are particularly worried about an incoming breach on critical national infrastructure.

With 50 nations and 150 international companies gathered in Paris, France during the event to further improve cybersecurity, some European IT security professionals are voiced their worries that the region isn’t ready should there be a breach that will occur in the near future. The continent’s state of cybersecurity should provide greater efforts in protecting data and infrastructure across national boundaries.

According to the Black Hat Report, approximately 65% of security professionals in Europe strongly believes that a successful breach will occur within the next two years on multiple European Union (EU) nations. This survey included 132 top-notch information security leaders.

“Vital infrastructure is way behind on the cyber threats,” said a respondent “Attackers are often still hiding behind obfuscation techniques instead of [infrastructure] actually being secure.”

“We have reached the point where it is possible to cause mass destruction by a cyberattack,”. Another respondent agreed. “This is a very worrying thing, as certain individual actors may cause large amounts of damage.”

This concern of the 2018 Black Hat Europe is quite similar to the concerns by the North American security professionals in the Black Hat USA 2018 survey wherein about 69% of respondents claimed that the US critical infrastructure would undergo a breach within the next two years. In every case, security pros are doubting the preparedness of their regional governments if a breach was to occur. Significantly, only 15% of the respondents in the US believe that the government and private sectors are ready for such imminent critical infrastructure attacks while 18% of the respondents from the EU could say the same thing to their regional governments.

What’s interesting is that both Russia and China, two of the largest countries and two of the most feared among the security pros, declined to sign the Paris record. According to 30% of the respondents, the main threat to critical infrastructure is posed by large nations. Their concern extends to say that Russia, China, and North Korea had a lot to do with the compromise of the European enterprise data. In fact, more than half of the participants of the survey believed this.

Concerns aren’t also just limited to critical infrastructure. Approximately 75% of the European security pros claimed that a major data breach will occur in the coming year.

When it comes to the area of privacy, European security leaders are also not confident with their current regulations and that includes the GDPR despite its efforts in preventing loss and misuse of personal information.

About 70% of the European security professionals said that their organizations have invested a lot to GDPR initiatives yet not all of those who claimed this are confident about their organizations’ state of GDPR compliance. The interesting thing is that a few only believe that GDPR will actually make a difference in the protection of privacy.

Most of the participants are calling for a shift in security culture in both organizations and end-users. “There’s too much focus on technological solutions and experts, not enough focus on getting organizations and individuals to adopt secure processes and behaviours,” said one respondent. “Prevention is better than detection and cure.”

The concern with regards to the cyber staff in their organizations being undermanned were also highlighted. Only a few respondents agreed that they have enough staff to respond to threats and even went on to compare it with having a lot of people to make the room dirty with only just one person to clean after them.

We need education, tooling, [and] technology to begin influencing software engineers to write more secure code.”, one respondent said.