A majority of organisations are confident of adhering to the GDPR’s 72-hour breach notification window even though only a fraction of them have plans in place to comply with the requirement, a survey has revealed.
GDPR will make it mandatory for organisations to notify authorities and affected customers about data breaches within 72 hours of them being discovered, but questions remain on how many will be able to comply.
On 25th May, the European Union will welcome the GDPR, a much-awaited legislation that is expected to shake organisations off their slumber and force them to tighten their cyber security protocols to keep cyber criminals at bay.
To add teeth to the intent, GDPR will enable authorities to fix unprecedented fines on organisations if they suffer data breaches or theft of customer data as a result of poor cyber security practices or for not following protocols mandated by the legislation.
Among other requirements GDPR will impose on organisations is one that will make it mandatory for them to report data breaches to authorities and affected customers within 72 hours of them being discovered. With GDPR less than four months away, one would expect that many organisations may have already created policies to abide by the requirement, but the truth is far removed from logic.
A survey of 406 cyber security professionals commissioned by Tripwire and carried out by Dimensional Research in November last year revealed the present state of organisations’ preparedness for GDPR. The most significant takeaway from the survey was that only 18 percent of all organisations, yes, 18 percent, admitted that they were fully ready to abide by the 72-hour breach notification window.
Despite the lack of readiness, 77 percent of cyber security professionals expressed confidence that their organisations could meet the 72-hour deadline once GDPR comes into effect. 24 percent of them went so far to state that they could notify customers of a data breach within the first 24 hours, let alone 72 hours.
Significantly, 73 percent of such professionals said they were ‘somewhat prepared’ and would have to figure things out ‘on the fly’. This ‘on the fly’ approach is what Tim Erlin, vice president of product management and strategy at Tripwire, believes is pretty much short-sighted and dangerous.
‘The majority of data breaches and security incidents can be avoided by following basic security steps and implementing tried and tested foundational controls. With GDPR coming into effect this year, running a business without a fully baked plan is really asking for trouble,’ he says.
‘There are plenty of tried and tested frameworks available from governing bodies in the cyber security space that can help organizations who feel like they’re struggling to prepare for a security incident and more specifically, GDPR.
‘If you are an organization subject to GDPR – and as the rules apply to all companies worldwide that process personal data of European Union (EU) data subjects, that will be the majority of global businesses – you are not alone. Start researching for resources that cater to your needs now to help you prepare, so that you aren’t hit with a big fine come May 2018,’ he adds.
Despite the major gap in ‘perceived readiness’ and ‘real-time readiness’ of organisations in complying with the 72-hour breach notification window, organisations are comparatively better placed when it comes to storing and handling customer data. 35 percent of cyber security professionals told the surveyors that their knowledge of where the customer data was stored was ‘excellent’ and another 22 percent said they had excellent ability to protect customer data.
You may also watch this video of Daniel Chalmers, head of IT risk at Standard Life, who spoke about how having mandatory data breach notification regulations will help firms fight cyber crime more effectively. This speech was delivered at #teissLondon2016