More than a year on since its implementation, one in ten businesses are still failing to comply with the European Union’s General Data Protection Regulation (GDPR).
When a breach occurs, businesses are required to notify appropriate data authorities and those impacted within 72 of becoming aware of it. However, a new study by security software company Tripwire has found that more than 14% of organisations that were present at Infosecurity Europe earlier this month weren’t confident that their organisation would meet that deadline.
Tripwire surveyed close to 300 attendees at Infosecurity Europe, a leading cybersecurity event that brings together organisations and professionals in the cybersecurity space.
The majority of individuals surveyed (48%) said that their organisation would notify those affected within 24 hours. Yet, 8% said it would take up to a week to notify affected users, with 3% admitting that their organisation would likely take more than a month.
Those that fail to comply with GDPR risk a fine of up to €20m or 4% of global annual turnover, making it imperative for businesses to meet the deadline.
GDPR compliance: improvements needed
According to Tim Erlin, vice president of product management and strategy at Tripwire, the results show that organisations are generally well prepared to comply with GDPR in the wake of a data breach, with 86% of organisations expected to meet the 72-hour deadline. However, Erlin believes that everyone in the information security space should know what GDPR compliance requires.
“These results are fairly encouraging and indicate that knowledge about GDPR’s requirements around data breaches is spreading,” Erlin said. “There is still room for improvement, however. Anyone in an information security role should be familiar with the basic requirements of GDPR and what their responsibilities are.”
Some 34% of respondents, for example, admitted that they were unsure whether to report a data breach if the data was publicly exposed but wasn’t exploited by bad actors.
According to the Information Commissioner’s Office (ICO), a personal data breach refers to the “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”.
This also means that ransomware attacks, even when no personal data appears to have been stolen, also need to be reported to the relevant authorities.
“There will be a personal data breach whenever any personal data […] is made unavailable, for example, when it has been encrypted by ransomware,” the ICO website states.
Yet, 33% of security professionals were either unsure or felt that a ransomware attack didn’t need to be reported unless data was stolen.
The State of Technology This Week
“It can happen to any company”
“It can take a huge breach of data to wake up a company and make them rethink policies and procedures,” Jake Moore, cybersecurity specialist at ESET, previously told Verdict.
That is clear from the Tripwire study, which found that close to one in ten of the organisations represented in the study did not have an incident response plan in place. Another 5% admitted that they hadn’t updated their response plan in more than a year.
Likewise, 15% of those surveyed admitted that employees at their organisation had not been trained to prevent or respond to a data breach, despite a large number of breaches occurring as a result of attacks that target at company employees.