Carbon Black, provider of next-generation endpoint security, has carried out research with Computing Magazine, which uncovers significant discrepancies between the levels of confidence in GDPR readiness reported by organisations and the reality of how they will deliver compliance starting in May 2018.
The survey of 120 business decision makers across multiple industry sectors found that, while 86% reported being reasonably or very confident in their ability to comply with the GDPR mandate on the rights of individuals to control all aspects of their personal data, 58% were not yet employing recognised frameworks or technologies to assess data risk.
Fewer than 10% of survey respondents said their toolsets for classifying critical data and then identifying and prioritising risk to data were effective and easy to manage. This lack of visibility across distributed organisations will make fulfilling requests for erasure – the “right to be forgotten” – difficult to achieve. It may also prevent organisations from identifying and neutralising data breaches within the GDPR’s 72-hour notification time frame. The survey found 60% of respondents admitted to taking hours or longer to identify their most serious, recent security attack.
The survey also explored the defences that businesses have in place to protect customer data from malware and other cyberattacks. The response showed that individuals (40%) and endpoints (35%) are the most vulnerable to attack, followed by networks and servers. There was also concern about the growing prevalence of hard-to-detect fileless/non-malware attacks, with 94% of respondents believing such attacks are likely to increase in the next two years.
Chris Strand, Senior Director, Compliance and Governance Programs at Carbon Black says: “The rise in fileless attacks we’ve seen in the last 12-18 months is genuinely frightening when weighed against the upcoming GDPR requirements. In order to effectively identify and neutralise data breaches, it’s essential to know what constitutes normal network behaviours versus what is suspicious. Failing to align the right data protection toolsets with people and processes, many organisations are at risk of non-compliance with the GDPR and, more importantly, putting their customers’ information in jeopardy.”
The research also showed that more than a third of organisations may be struggling with the Privacy-by-Design principle, which sits at the heart of the GDPR, with 24% admitting they were unsure whether they undertook Data Protection Impact Assessments, which will be a legal requirement under the GDPR – and 13% stating they did not carry them out.
Stuart Sumner, Editor of Computing Magazine says: “Data protection by design and by default is at the centre of the GDPR. Our research has found that, while businesses state their confidence in being able to protect customer data, they do not necessarily have effective tools and frameworks in place to deliver on their commitment. Businesses need visibility throughout their organisation and the ability to detect all types of attacks before they execute. Having the right endpoint detection and response tools in place can help to narrow the existing gap between confidence and reality.”