A survey of over 170 IT decision-makers at Irish businesses makes for grim reading for anyone concerned with data protection: 25% either don’t know what GDPR is or have yet to start preparing for it.
The research, conducted by cybersecurity provider Ward Solutions, found that despite potential fines of €20m or 4% of global turnover, 20% of Irish company directors are completely unaware that the fines exist, with a further 31% unaware of the severity. With 74% of organisations processing the personal data of Irish and/or EU citizens, that’s a lot of risk.
Mind the gap
On a positive note, almost half of organisations (46%) said they had the required resources to address these challenges in-house, rising to 75% for “resources to do most of the work.” The problem, it seems, is a gap in both communications and understanding of the consequences at C-level: more than half of those surveyed (52%) said their board “lack sufficient understanding of our current information security situation.” According to Ward, “Our experience is that once they become aware not only of the fines, but the prospect of legal action from subjects, coupled with the obligations that GDPR now places on individual businesses, C-level and the board become engaged quite quickly.”
Ignorance is bliss
The general lack of awareness around GDPR is, unfortunately underpinned by a similarly vague approach to data security – 42% of organisations say they’ve no plans in place to deal with a breach.
Apart from the fact that this represents a significant increase on the numbers from last year’s survey (26%), this exposes another gap in understanding about the GDPR, which will require companies to report any incident to the relevant authorities within 72 hours. Whether or not employees are sufficiently clued-in on information security best practices is unclear: 38% of companies don’t audit employee awareness at all, with a further 23.5% doing in less than once a year. Only 28% manage an annual audit.
If that sounds like an accident waiting to happen, it is: 57% have noted an increase in security incidents in the past year, with one in five reporting a ransomware attack (the survey was conducted the week before the WannaCry attack). Of those affected, 64% said the ransom demanded was under €1000.
On a positive note, 14% of businesses said they’d pay the ransom if the value of the data merited it, with 47.5% saying they wouldn’t pay, regardless of the value. Three quarters said they’d report the incident to the authorities while 52.5% said they would advise impacted third parties such as customers and suppliers.
Ward says the increase in security incidents is partly due to more effective detection solutions as organisations “shift from prevention-only strategies to a more holistic security lifecycle based on assessment, prevention, detection and incident response.” Three-quarters of businesses said they feared that cybercriminals would use artificial intelligence to launch attacks in the next 12 months.
The full report, along with recommendations for action, is here.
Image: Christiaan Colen.