GDPR heads security focus for large companies, disaster recovery for small - research

With 18 months to go before new regulations hit larger firms are rushing to make themselves compliant

Larger organisations are focused on getting ready for the EU General Data Protection Regulation (GDPR) and other regulations while their smaller counterparts are concentrating on operational matters such as disaster recovery.

That is one of the findings of Computing's latest research into IT security, which divided the 300 respondents to an online poll into large (more than 500 employees) and small (less than 500 employees) companies.

Participants were asked to select up to five security areas that their business leaders were focused on. The top seven selections in each case are shown bleow.

Compliance with regulations such as GDPR, which comes into force in May 2018, was the top priority for larger businesses with 58 per cent choosing it; this ranked third on the list for smaller businesses at 44 per cent. Data governance ranked as the second highest scoring priority for large firms with 49 per cent choosing it, while only 33 per cent of smaller companies did so.

Organisations in heavily regulated industries such as finance, education, health and the public sector were even more likely to be focusing their efforts on compliance and governance. What's more, in highly regulated industries compliance was top priority for the IT department too, whereas for the remainder it was about dealing with day to day threats and disaster recovery / business continuity.

Large organisations will find some aspects of the GDPR particularly challenging, such as complying with the right of citizens to demand to erasure of all their personal data. This data may be spread across thousands of systems and duplicated many times. They only have 18 months to update systems, controls and governance frameworks to make them compliant.

Smaller firms tend to have a more immediate focus on profit and loss and compliance is likely to be less complicated with fewer premises and partners to consider. This probably accounts for the variation in rankings between the two groups.

Disaster recovery was the top priority for those employing fewer than 500 people, selected by 58 per cent of respondents; this ranked fourth for larger firms with 38 per cent selecting it as a priority. Such firms are perhaps more likely to view disaster recovery as an operational concern rather than a security focused issue.

The importance of user awareness and training was high for all respondents with 50 per cent of those in smaller companies selecting it and ranking it second overall. In larger companies the equivalent figure was 44 per cent, and a ranking of third overall.

Computing's Enterprise Security & Risk Management Summit returns on 24 November. Entrance is FREE to qualifying IT leaders and computing professionals, but places are going fast, so register now.