Research uncovers gap between confidence and reality of business readiness for EU GDPR

Endpoint security specialist Carbon Black has conducted research in conjunction with Computing Magazine that uncovers “significant discrepancies” between the levels of confidence in General Data Protection Regulation (GDPR) readiness reported by organisations and the reality of how they will deliver compliance starting in May 2018.

A survey of 120 business decision-makers across multiple industry sectors has found that, while 86% reported being reasonably confident or very confident in their ability to comply with the European Union’s GDPR mandate on the rights of individuals to control all aspects of their personal data, 58% were not yet employing recognised frameworks or technologies to assess data risk.

Fewer than 10% of survey respondents said their tool sets for classifying critical data and then identifying and prioritising risks to data were effective and easy to manage. This lack of visibility across distributed organisations will make fulfilling requests for erasure – ie the ‘right to be forgotten’ – difficult to achieve.

It may also prevent organisations from identifying and neutralising data breaches within the GDPR’s 72-hour notification timescale. The survey found 60% of respondents admitting to taking hours or longer to identify their most serious recent security attack.

The survey also explored the defences that businesses have in place to protect customer data from malware and other cyber attacks. The response shows that individuals (40%) and endpoints (35%) are the most vulnerable to attack, followed by networks and servers.

There was also concern about the growing prevalence of hard-to-detect file-less/non-malware attacks, with 94% of respondents believing such attacks are likely to increase in the next two years.

Identifying and neutralising data breaches

Chris Strand, senior director for compliance and governance programs at Carbon Black, explained: “The rise in file-less attacks we’ve seen in the last 12-to-18 months is genuinely frightening when weighed against the upcoming GDPR requirements. In order to effectively identify and neutralise data breaches, it’s essential to know what constitutes normal network behaviours versus what’s suspicious. Failing to align the right data protection tool sets with people and processes, many organisations are at risk of non-compliance with the GDPR and, more importantly, placing their customers’ information in jeopardy.”

The research also highlights that more than a third of organisations may be struggling with the Privacy-by-Design principle which sits at the very heart of the GDPR, with 24% admitting they’re unsure whether they undertake Data Protection Impact Assessments (a legal requirement under the GDPR) and 13% stating they don’t carry them out.

Stuart Sumner, editor of Computing Magazine, commented: “Data protection by design and by default is at the centre of the GDPR. Our research has found that, while businesses state their confidence in being able to protect customer data, they don’t necessarily have effective tools and frameworks in place to deliver on their commitment. Businesses need visibility throughout their organisation and the ability to detect all types of attacks before they execute. Having the right endpoint detection and response tools in place can help to narrow the existing gap between confidence and reality.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts