According to a recent Cyber Security Breaches Survey, carried by out Ipsos MORI, only 43% of businesses reported their most disruptive breach outside their organisation. Even then, they would commonly report the breach to an outsourced cyber security provider, in the hope that they can offer a resolution. Of the 26% of breaches that were reported eternally, the majority of those breaches (28%) were reported to banks, building societies, and credit card companies, whereas 19% of those breaches were reported to the Police. ActionFraud – the UK’s national fraud and cyber-crime reporting centre – received only 7% of breach reports, whereas other public sector agencies were rarely involved.
Why are businesses failing to report breaches externally?
Firstly, the fact that many organisations are not reporting serious breaches to the Police, would indicate that they do not perceive the breach to be a crime. 58% of companies who failed to report the breach to the Police, or other authorities, claim that they did not consider the incident significant enough to be reported. This was also the case for the 52% of companies who suffered a material consequence as a result of the breach.
It should also be noted that 24% of companies, whose breaches had material outcomes, claim that they didn’t know who to report the breach to. Assuming this was genuinely the case, there clearly needs to be more guidance on how, why and where to report such incidents. As much as 10% of businesses failed to report a breach to the authorities as they claim that it wouldn’t make a difference. Of course, if every company were to make the same assumption, it would make it harder for authorities to provide practical advice on how companies should proceed in finding a resolution and/or mitigating future incidents.`
Common actions organizations took after a data breach
Raising staff awareness through training or communications was the most common action taken following a breach, according to 28% of those who took part in the survey. This would suggest that companies consider insiders to be the weakest link when it comes to cyber security. Other actions taken included updating anti-virus/anti-malware software and changing firewall or system configurations. Only 6% chose to amend their security policies and procedures.
What will change under the GDPR?
Under the GDPR, organisations will be required to notify the supervisory authorities within 72 hours of discovering a serious data breach. Should they fail to do so, they must provide a valid reason for the delay. Failure to comply with the GDPR may result in fines of up to €20m.
As you can imagine, many organisations (or at least those who have given it a second thought) are apprehensive about the forthcoming GDPR. Using native auditing techniques to meet the stringent regulatory requirements of the GDPR will be a complex and time consuming process. LepideAuditor, on the other hand, can help alleviate the pain of compliance. With LepideAuditor you can track important system changes, automatically respond to anomalous events, generate real-time reports and alerts and more.
Find out more about how LepideAuditor helps meet GDPR compliance by visiting our website today.