Threat detection and response firm Redscan, released information from a Freedom of Information (FOI) request data to the Information Commissioner’s Office (ICO). Data shows that UK businesses routinely delayed data breach disclosure to ICO in the year prior to the full enactment of the EU’s GDPR.
Analysing 182 data breach reports triaged by the ICO in the financial year ending April 2018, the information releveled a shocking lack of ability to detect data breaches with an average time for detection of 60 days (2 months) with one business setting a record for taking as long as 1320 days. This could suggest either a lack of awareness of or knowingly withheld information on part of businesses. It doesn’t get any better from here, after detection it took businesses an average of 21 days to report the breach to the ICO (one took as long as 142 days) which clearly would violate today’s GDPR requirement of 72h. The businesses most likely to identify breaches early on are legal and financial industries with an average of 25 and 37 days respectively, probably due to heightened regulatory awareness.
“Data breaches are now an operational reality, but detection and response continue to pose a massive challenge to businesses,” said Mark Nicholls, director of cybersecurity at Redscan. “Most companies don’t have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO. This was a problem before the GDPR and is an even bigger problem now reporting requirements are stricter.”
Findings show that 9 out of 10 businesses didn’t specify the impact of the breach, or didn’t know the impact at the time it was reported.
“The fact that so many businesses failed to provide critical details in their initial reports to the ICO says a lot about their ability to pinpoint when attacks occurred and promptly investigate the impact of compromises,” said Nicholls.
The FOI also revealed Saturday was the most common day to fall victim to a data breach with the majority of businesses reporting the issue on a Thursday or Friday – possibly in an attempt to minimise potential media coverage.
“Detecting and responding to breaches is now a 24/7 effort,” said Nicholls. “Many organisations lack the technology and expertise they need, which is compounded by a global cybersecurity skills shortage. Resources are stretched even further at weekends, when many IT teams are off-duty – exactly why hackers chose to target businesses out of hours.”
Since GDPR’s enactment businesses have been obliged to make significant changes and implement tough safeguard mechanisms in relation to dealing with data subject’s data. Maybe the recent penalties and fines issued by regulators would push more businesses in the effort to achieving compliance. Nevertheless, it will be interesting to see juxtaposition with data following the GDPR when it’s available. We at GDPR Toolkit will be following the issue and update you on any new information.