We’re approaching the one year anniversary of the implementation of the General Data Protection Regulation (GDPR), yet the strict European Union laws have done little to force businesses into action.
The Hiscox Cyber Readiness Report 2019, which looks at the preparedness of businesses in the United Kingdom, Europe and the United States to deal with cyber threats, found a sharp increase in the number of businesses hit by cyberattacks in the past year. Three out of five businesses reported a cyberattack in 2018 compared to 45% in the previous year.
Likewise, the report found a decrease in the number of firms with “expert” cybersecurity practices, down by 1% year-over-year despite cybersecurity spending increasing.
There was a sharp increase in the cost of suffering a cyberattack. Firms are reporting that dealing with an incident cost $369,000 on average in 2018, up 61% from $229,000 in 2017.
With GDPR now looming over companies with poor cybersecurity practices, they risk ever greater costs if data is compromised in an attack. Under EU laws, businesses can be hit with fines of up to €20m or 4% of global annual turnover if GDPR is breached.
A proactive approach to data protection
GDPR is probably best epitomised by the data collection warnings that those browsing the internet in the EU are now bombarded with. While consumers may only be required to tick a few more boxes, there is a lot more to it for businesses keen to safeguard against data breaches and GDPR fines, according to Gero Decker, CEO of business process management company Signavio.
“With cyberattacks on the rise and no company immune, one thing is for certain — every business must proactively manage risk and ensure ongoing compliance,” he said.
According to Decker, part of the cause of cybersecurity struggles is siloed business units. Employees often must rely on complex, manual and paper-based compliance systems that fuel an inability to comprehend the impact that a cyberattack might have on other areas of the business. However, GDPR could offer an opportunity for businesses to reevaluate their cybersecurity practices and develop better, more transparent action plans.
“To truly remain committed to compliance, and make it more than tickbox exercise, businesses need to harness existing internal data to be able to detect, prevent and mitigate breaches.”
“Mapping out processes against regulatory frameworks such as the GDPR gives business users full visibility of areas where companies are handling data, what is required, the risks involved and how to mitigate them,” Decker added. “Identify where the risks lie in processes will enable employees to apply relevant controls.”
While completely avoiding cyberattacks may seem like an impossible task, recording and analysing incidents will also provide businesses with valuable data that will help to better respond to the next, Decker believes. This data can be used to optimise the way breaches are reported, keep track of the processes that are impacted, identify new risks and develop new security controls that aren’t yet in place.
“In today’s digital age, robust and proactive risk and compliance management is a must to future-proof any business.”
Businesses do appear to be taking their cybersecurity and data protection obligations seriously. Firms now spend $1.45m annually on cyber defences, and of the 5,400 quizzed by Hiscox, two thirds plan to increase their cybersecurity budget by at least 5% in 2019 showing that businesses are at least thinking about GDPR and cybersecurity.