Business leaders overconfident on compliance prep, suggests survey

Business leaders are brimming with confidence about their ability to comply with the fast approaching General Data Protection Regulation (GDPR) and Notifiable Data Breaches Act, but their self-assurance may be misplaced, suggests a survey.

Nearly all (95 per cent) of respondents in the Trend Micro global survey knew they needed to comply with GDPR and 85 per cent had reviewed its requirements. But despite the perceived awareness, the survey exposed confusion around exactly what Personally Identifiable Information (PII) needs to be protected.

Of those surveyed, 64 per cent were unaware that a customer’s date of birth constitutes as PII. Some 42 per cent wouldn’t classify email marketing databases as PII, 32 per cent don’t consider physical addresses and 21 per cent don’t see a customer’s email address as PII either.

“These results indicate that businesses are not as prepared or secure, as they believe themselves to be. Regardless, this data provides hackers with all they need to commit identity theft, and any business not properly protecting this information is at risk of a penalty fine,” Trend Micro said.

Penalty fines for breaches of GDPR – which comes into effect early next year – are significant, UP TO €20 million or four per cent of a company’s global annual turnover, whichever is greater.

The regulation also updates rights for data subjects – customers of a company that holds their information – to claim compensation if they suffer from a breach.

According to the survey, only a third of respondents recognized the severity of the fines, and two thirds believe reputation and brand equity damage to be the biggest pitfall in the event of a breach.

“These attitudes are especially alarming considering businesses could be shut down in the event of a breach,” Trend Micro said.

GDPR mandates that businesses must implement state-of-the-art technologies relative to the risks faced. Despite this, only 34 per cent of businesses have implemented advanced capabilities to identify intruders, 33 per cent have invested in data leak prevention technology and 31 per cent have employed encryption technologies, the survey results indicate.

Lacking preparation for local legislation

In Australia, businesses will also need to be compliant with the Privacy Amendment (Notifiable Data Breaches) Act 2017, from February next year.

At Trend Micro’s CLOUDSEC conference in Sydney last month, a survey of the 1,000 attendees found that more than half (56 per cent) agreed they will be impacted by the mandatory data breach notification scheme, and either already have a process in place, or are working on a formal process.

Some 16 per cent don’t believe they will be impacted by the scheme, and more than a quarter (28 per cent) admitted they only have an informal process in place, or no process at all for risk management and cloud security within their organisation.

Live results of the CLOUDSEC survey can be viewed here.

“It is concerning that so many Australian organisations are not prepared for the new legislation, or are of the belief that they won’t be affected,” said Indi Siriniwasa, managing director enterprise and government at Trend Micro ANZ.

“It has never been more important for organisations to make cybersecurity a key priority, and protect the interests of their customers against cybersecurity attacks. Not only is this a security and prevention issue, but it can also have a disastrous impact on both brand and reputation.”