According to new research carried out by Egress Software Technologies, 90 percent of CIOs think that the nascent reforms will leave them exposed.
Carried out as an independent survey, the research collected interviews from 200 CIOs in the UK from organisations with at least 1000 employees from a range of sectors like retail, transport, financial services and manufacturing
The General Data Protection Regulation (GDPR) has been decried in some camps and celebrated in others. It's expected to be adopted in spring this year and the heavy hand of enforcement will come down in 2018. That heavy hand could garnish as much as four percent of global revenue, or 20,000,000 euros, if the regulation's diktats are infringed.
Under the regulation each member state of the EU will set up an advisory authority to enforce the privacy of data that organisations hold.
Organisations will now have to put the privacy of their customers data at a premium, meaning that data will have to be stored for a limited period of time and for no longer than its useful to the organisation. Data will also have to stored in a way that it can't be directly identified by a process of data masking, or pseudonymisation, as the GDPR calls it.
Breaches will have to be reported without undue delay, 72 hours, and data will have to be deleted on request. Principally, organisations will have to introduce ‘Privacy by Design' wherein the privacy of the customer is taken into account at every stage of system design.
The survey also found that CIOs feel employees are dropping the ball when it comes to protecting themselves. 77 percent admitted their own frustration at the fact that even though new protection technology is readily available employees aren't using it. A further 87 percent thought, perhaps predictably, that this left their organisations vulnerable.
Tony Pepper, CEO of Egress told SCMagazineUK.com that the “solution is making security as easy to use as possible. If security makes processes more complicated or time-consuming people will find a way to avoid it; if it's seamlessly integrated into the everyday tools they are used to handling then they will have no reason to resist.”
Strangely enough though, despite CIOs fear of their employees leaving their organisations exposed, only 20 percent of CIOs are focusing on accidental breaches, despite the fact 93 percent, according to a Freedom of Information disclosure from the Information Commissioner's office, are the result of human error.
Pepper told SC that it's largely this misapprehension that will leave organisations exposed. Simply, “they are putting their efforts in the wrong places.”
Instead organisations are concentrating on threats to their networks, “This could be setting organisations up for a fall - there is little point securing the business from external attack when an internal error or lack of clear process could lead to an accidental breach and expose the organisation to financial penalties and loss of customer confidence.”
This lack of concentration on human error seems to run contrary to the near-constant warnings that accidents and oversights are at the centre of most breaches.Stranger still, is the fact that over a quarter of the CIOs surveyed, worried about exposure though they may be, are not planning to make changes ahead of the enforcement date of spring 2018. Pepper continued, “While their current systems and processes may be suitable under today's legislation, it is likely that not all of them will stand up under the EU GDPR.”