Don’t Get Caught Unprepared, GDPR Fast Approaching
It seems that the May 2018 deadline for the EU’s General Data Protection Regulation (GDPR) is approaching just a bit faster than businesses are ready for. According to research for ProofPoint, Inc., less than half of IT decision makers at UK companies (48%) say they are financially prepared for the new regulations. This, despite the fact that a majority expect to be breached within the next year.
Indeed, data breaches are not only the new normal, but every company gets hacked. CSO’s Roger Grimes shares a kind of hilarious story, actually, about one of his consulting jobs. A company was having trouble with a software patch installing against their wishes, no matter what they did. What Grimes found were hackers trying to force the patch through; the company wasn’t securing its own networks, which gave the hackers who were already there more competition as more and more snuck in. Cyber criminals were trying to secure the company’s own environment.
There is no escaping the efforts of cyber criminals these days. And yet, getting back to GDPR, almost 80% of UK businesses, according to the study, insist on their strong readiness level, even though only five percent of the respondents were confident in their organization’s data protection strategies. “While the majority of UK businesses are bullish about their ability to meet the compliance deadline, our research shows that for many, the basic requirements are not met,” according to Adenike Cosgrove at ProofPoint.
Some are making preparations, but in essence only taking half measures. Almost a quarter (24%) of respondents stated their organizations had purchased cyber liability insurance, which is useful, but may not be enough to ensure GDPR compliance. Only half of the organizations in the study seemed to be fully aware of the EU personal data the hold, revealing a lack of visibility over critical data that could come back to bite them in just six months time. Failure to meet with GDPR, after all, could result in financial penalties of up to four percent of annual global revenue or €20,000,000.
According to Grimes, most of the companies he’s met with do not know what their biggest exploitable weaknesses are. Lack of knowledge is not something a business wants for any component of its cybersecurity, whether or not it’s facing looming GDPR rules. For those that are, however, looming fines, reputational damage, and operational disruption should be sufficient motivation to take a good, hard look at their actual, realistic level of preparation.