dcn-eu logo
Story image

New analysis paints a grim picture of data management pre-GDPR

12 Mar 2019

New data has revealed just how dire data management was before GDPR’s implementation

Using Freedom of Information (FOI) request data from the Information Commissioner's Office (ICO), Redscan found that businesses routinely delayed breach disclosure and failed to provide important details to the ICO over the year prior to GDPR’s enforcement.

On average, businesses waited three weeks after discovery to report a breach to the ICO, while the worst offending organisation waited 142 days. Meanwhile, the vast majority (91 percent) of reports to the ICO neglected important information like the impact of the breach, the recovery process, and dates.

The FOI also revealed that hackers disproportionately targeted businesses at the weekend, while many reports would be issued to the ICO on a Thursday or Friday – possibly in an attempt to minimise potential media coverage.

Other key findings from the 182 data breach reports analysed by Redscan include:

  • On average, it took companies 60 days to identify they’d been a victim of a data breach, with one business taking as long as 1320 days
  • Less than a quarter (45 out of 182) of businesses would be compliant with current GDPR requirements, which demands organisations report a breach within 72 hours of discovery
  • Nearly half of data breaches were reported to the ICO on a Thursday or Friday (87 of 181)
  • Saturday is the most common day for businesses to fall victim to a data breach – over a quarter of incidents were reported on a Saturday
  • Financial and legal firms identified and reported breaches more promptly than general businesses

“Data breaches are now an operational reality, but detection and response continue to pose a massive challenge to businesses”, says Redscan director of cybersecurity Mark Nicholls.

“Most companies don’t have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO. This was a problem before the GDPR and is an even bigger problem now that reporting requirements are stricter.”

According to Redscan’s analysis, financial services and legal firms are far better at identifying and reporting breaches than general businesses, which has been put down to increased regulatory awareness and the highly sensitive nature of data processed in these industries.

On average, financial services firms took 37 days to identify a breach, legal firms took 25 days, while companies classified as ‘general business’ took 138 days. Financial services (16 days) and legal firms (20 days) were also quicker to disclose breaches to the ICO than general businesses (27 days).

“The fact that so many businesses failed to provide critical details in their initial reports to the ICO says a lot about their ability to pinpoint when attacks occurred and promptly investigate the impact of compromises. Without the appropriate controls and procedures in place, identifying a breach can be like finding a needle in a haystack. Attacks are getting more and more sophisticated and, in many cases, companies don’t even know they’ve been hit,” says Nicholls.

“In general, firms operating across the financial and legal sectors are among those better prepared to manage data breaches. The fact that even businesses in these high-value sectors were taking two to three weeks to divulge incidents is a key reason why the reporting rules have since been tightened.”

Nicholls says despite the heavier regulation, GDPR is in no way a silver bullet.

“It’s incredibly optimistic to think that businesses are better at preventing and detecting data breaches since the introduction of the GDPR. Despite the prospect of a larger penalty, many are still struggling to understand and implement the solutions they need to achieve compliance,” concludes Nicholls.

Story image
Lenovo announces new edge and Azure cloud-tiering solutions
The solutions, say DCG, were designed in response to the ever-increasing number of connected IoT devices and the masses of data this creates from edge to the core.More
Story image
HPE looks to advance 5G developments with vendor neutral offering
Hewlett Packard Enterprise (HPE) has added the Open Distributed Infrastructure Management (ODIM) initiative to its open 5G portfolio.More
Story image
Tencent Cloud launches Voov Meeting videoconferencing tool
Tencent Cloud is deepening its presence in the unified communications business, after launching a cloud-based conferencing tool as the world shifts towards remote offices.More
Story image
UN telecommunications agency launches global platform to fortify countries' networks
The platform set out by the ITU today aims to assist policy-makers, regulators and telecommunication companies by sharing ‘best practices and initiatives put in place during the COVID-19 crisis'.More
Story image
Server market and ESS revenues slump as COVID-19 spreads - IDC
The enterprise storage systems market as well as server markets will see declines in the first two quarters of 2020, but are expected to recover near the end of the year, according to IDC.More
Story image
COVID-19: Telco cloud revenue from 5G to drop by 25%
Telco cloud revenue from 5G core deployments will fall between 20%-30% short of the forecasted US$9 billion in 2020. The investment shortfall in modernising telco networks may be somewhere in the range of US$2 to US$3 billion in the short term.More