According to a recently published study conducted by the British Standards Institution (BSI), one in six European businesses is not completely ready to respond to a data breach. This finding is of concern as the European Union’s General Data Protection Regulation (GDPR) became effective on May 25 this year. Companies that fail to comply with data breach reporting and mitigation requirements can face penalties of €20m or 4% of yearly global revenue, whichever amount is higher.
BSI is the group that sets national standards in the United Kingdom. It creates technical standards for a large selection of products and services, including standards-related services for businesses and certification.
The study found that 73% of participants in the BSI research were taking cybersecurity seriously and were actively finding solutions to improve security. However, one in six respondents informed the researchers that they lack a plan for addressing data breaches. One-third said they were not conducting cybersecurity penetration testing at this time and only 59% of respondents said they had implemented an end-user security awareness training program.
Global Head of Cybersecurity and Information Resilience Services at BSI, Stephen O’Boyle, explained that training and education are both essential for improving resilience against cyberattacks, and that he was encouraged to see many businesses are taking cybersecurity seriously and are running employee security awareness programs. He said that being proactive is the best defense. However, he was concerned that one in six organizations are not prepared to deal with a data breach and that a third of companies are not testing their defenses to ensure that they are effective.
“The increase in imminent malware threats, the importance of complying with new data protection regulations, the treatment of Shadow IT, and the advances in social engineering have been at the forefront this year,” said O’Boyle. “At BSI, we work with organizations to implement tailored plans that incorporate training at all levels of an organization, from senior executives to junior employees, as well as cybersecurity testing services to identify and address any weaknesses.” Since the threat landscape is constantly changing, keeping systems secure requires an ongoing effort, constant reevaluation of defenses, and regular staff training.
The European Parliament adopted GDPR on April 14, 2016. Businesses, organizations, groups and agencies conducting business in the European Union and those that handle the personal information of EU residents have had two years to set up processes and systems. It is sad to see many businesses are still not fully compliant 5 months after the May 25, 2018 compliance date.