Circa 50% of organisations reported to ICO for data breaches post-GDPR
20 May 2020
APRICORN HAS announced the findings of its annual survey examining attitudes towards data breaches. Almost half (43%) of those IT decision-makers questioned said that their organisation has been reported to the Information Commissioner's Office (ICO) since the European Union's General Data Protection Regulation (GDPR) came into effect.
The research survey*, which was conducted by Censuswide, has also highlighted an increase in the implementation of encryption and endpoint control since the GDPR was enforced.
A quarter of respondents (25%) said they had notified the ICO of a breach (or a potential breach) within their organisation, while 21% have had a breach or potential breach reported by someone else.
According to a separate data breach survey recently carried out by law firm DLA Piper, up to the end of January this year over 160,000 breach notifications have been made to data supervisory authorities in the European Economic Area since the GDPR came into play.
“The fact that so many businesses are now choosing to notify of a potential breach is positive, but likely precautionary to avoid falling foul of the requirements and any significant financial or reputational ramifications,” commented Jon Fielding, managing director (EMEA) at Apricorn.
However, these concerns are being mitigated by an increase in encryption and endpoint control. Nearly all respondents (94%) affirm that their organisation has a policy that requires encryption of all data held on removable media. Of those that encrypt all data held on removable media, more than half (57%) hardware encrypt all information as standard on all removable media.
Strict security measures
Of those with an information security strategy that covers employees’ use of their own IT equipment for mobile/remote working, 42% said they permitted only corporate IT provisioned/approved devices and have strict security measures in place to enforce this ruling with endpoint control, which shows a huge rise compared with 12% in 2019, duly highlighting a positive shift in focus towards endpoint control.
When questioned on whether they had seen an increase in the implementation of encryption in their organisation since the GDPR was enforced, nearly four-in-ten (39%) have noticed an increase. Their organisation now requires all data to be encrypted as standard, whether it's at rest or in transit. This is a positive step given the number of employees now working remotely as a result of the current pandemic.
While many businesses are currently encrypting devices, they also highlighted that they have no further plans to expand encryption on USB sticks (38%), laptops (32%), desktops (37%), mobiles (31%) and portable hard drives (40%). This is worrying given the risks posed to corporate data being held on unencrypted devices. In terms of Best Practice, businesses should allow only corporately approved, hardware-encrypted devices that are whitelisted on the IT infrastructure and block access to all non-approved media through endpoint control.
“The wide variety of options for encryption deployment can be intimidating and it's fait to suggest that companies haven’t been using it effectively,” pointed out Fielding. “Organisations are now beginning to recognise the importance of endpoint hardware encryption and the need to implement and enforce policies designed to protect corporate data, ensure compliance with data protection regulations and reduce the potential for a data breach.”
Impact of data breaches
When asked about the impact of a data breach on their organisation, more than a third (35%) of respondents cited the belief that damage to the brand and the overall reputation of the business is their main concern. This was followed by concerns over financial costs for incident response and clean-up (28%), loss of customer trust (18%) and financial costs resulting from a fine (12%).
“Focusing on how best to manage and respond to a potential breach in co-operation with data protection authorities is essential,” added Fielding. “Being able to establish a cause and remediate quickly will put businesses in good stead for breach recovery.”
Employees unintentionally putting data at risk remains the leading cause (33%) of a data breach, with lost or misplaced devices now the second biggest cause (24%) and third parties mishandling corporate information not far behind (at 23%). This correlates with the fact that, despite more than a third (35%) of the survey respondents having complete visibility of which devices employees are using to access the corporate network, they're not certain that all are secure.
In conclusion, Fielding informed Security Matters: “It’s clear the GDPR is finally having some impact, but businesses need to recognise that compliance is ongoing and they should continue to enforce and update all policies. Equally, more needs to be done in terms of employee awareness and education if they want to reduce the risk of a data breach, particularly so given the increase in data moving beyond the corporate network.”
*Respondents to the survey comprised of 100 UK IT decision-makers (CIOs, heads of IT, IT directors and senior IT managers, etc) from enterprise organisations (with 1,000-plus employees) within the financial services, IT, manufacturing, business and professional services sectors