Endpoint security specialist Carbon Black has conducted research in conjunction with Computing Magazine that uncovers “significant discrepancies” between the levels of confidence in General Data Protection Regulation (GDPR) readiness reported by organisations and the reality of how they will deliver compliance starting in May 2018.
A survey of 120 business decision-makers across multiple industry sectors has found that, while 86% reported being reasonably confident or very confident in their ability to comply with the European Union’s GDPR mandate on the rights of individuals to control all aspects of their personal data, 58% were not yet employing recognised frameworks or technologies to assess data risk.
Fewer than 10% of survey respondents said their tool sets for classifying critical data and then identifying and prioritising risks to data were effective and easy to manage. This lack of visibility across distributed organisations will make fulfilling requests for erasure – ie the ‘right to be forgotten’ – difficult to achieve.
It may also prevent organisations from identifying and neutralising data breaches within the GDPR’s 72-hour notification timescale. The survey found 60% of respondents admitting to taking hours or longer to identify their most serious recent security attack.
The survey also explored the defences that businesses have in place to protect customer data from malware and other cyber attacks. The response shows that individuals (40%) and endpoints (35%) are the most vulnerable to attack, followed by networks and servers.
There was also concern about the growing prevalence of hard-to-detect file-less/non-malware attacks, with 94% of respondents believing such attacks are likely to increase in the next two years.
Identifying and neutralising data breaches
Chris Strand, senior director for compliance and governance programs at Carbon Black, explained: “The rise in file-less attacks we’ve seen in the last 12-to-18 months is genuinely frightening when weighed against the upcoming GDPR requirements. In order to effectively identify and neutralise data breaches, it’s essential to know what constitutes normal network behaviours versus what’s suspicious. Failing to align the right data protection tool sets with people and processes, many organisations are at risk of non-compliance with the GDPR and, more importantly, placing their customers’ information in jeopardy.”
The research also highlights that more than a third of organisations may be struggling with the Privacy-by-Design principle which sits at the very heart of the GDPR, with 24% admitting they’re unsure whether they undertake Data Protection Impact Assessments (a legal requirement under the GDPR) and 13% stating they don’t carry them out.
Stuart Sumner, editor of Computing Magazine, commented: “Data protection by design and by default is at the centre of the GDPR. Our research has found that, while businesses state their confidence in being able to protect customer data, they don’t necessarily have effective tools and frameworks in place to deliver on their commitment. Businesses need visibility throughout their organisation and the ability to detect all types of attacks before they execute. Having the right endpoint detection and response tools in place can help to narrow the existing gap between confidence and reality.”