Recently security company Tripwire surveyed 298 IT security professionals who were attending Infosecurity Europe 2019 conference in order to discover how much knowledge they have in relation to the disclosure requirements of the European Union’s General Data Protection Regulation (GDPR).
One of the chief obligations of GDPR is declaring data breaches inside of 72 hours of it being noticed. The majority of respondents said that they can adhere with the 72-hour rule at this point, but 14% were unable to do so.
The range of security incident involved also is significant here. Tripwire found 21% of respondents would not share accidental data exposure via the cloud. The remaining 23%responded “maybe”. When the same set of individuals were questioned on ransomware attacks it threw up some similar results, revealing that just over two thirds (67%) of respondents agreed that they should report a ransomware attack to customers and regulators. In addition to this 20% said that they were unsure while 13% said that they were not required to do so.
Tim Erlin, vice president of product management and strategy at Tripwire said: “These results are fairly encouraging and indicate that knowledge about GDPR’s requirements around data breaches is spreading. There is still room for improvement, however. Anyone in an information security role should be familiar with the basic requirements of GDPR and what their responsibilities are. The biggest opportunities for improvement are around what constitutes a breach and how to respond to an incident.”
Some of the other results that cropped up in the Tripwire report revealed the following:
- 92% of firms had an incident response plan, with most updating it constantly.
- 5% had not updated it in over a year, with 22% updating their response plans on a yearly basis.
- 20% audited their response plan on a weekly basis, although it wasn’t clear how extensive or detailed a weekly audit would really be.
The survey also revealed that 74% of businesses had adapted data breach prevention or response training for employees. The other 11% were unsure if they had or not.
You can read the full text of the report here.