UK IT leaders are alarmingly willing to cover up a data breach, it’s claimed. In a survey over three in five (61pc) said they would do so if it meant they could escape fines.
It is now over a year since the European Union-wide General Data Protection Regulation (GDPR), which obliges organisations to disclose breaches of personal data within 72 hours of becoming aware, when feasible. However, senior business leaders are more willing than managers or directors to cover up their organisation falling victim to a data breach, with 71pc at C-Level saying they would do so, compared to 57pc of the latter category. Ahead of the 2019 Infosecurity Europe conference, nCipher Security surveyed 250 IT decision makers with responsibility over security purchases, revealing attitudes towards data breaches, regulations, security training and emerging technologies.
While investment in technology is the biggest driver of security spending over the next 12 months, employee training and education is not far behind, taking up 29pc of the average budget. However, despite 83pc of businesses providing cyber training to staff at all levels, several factors are highlighted as major challenges to employee engagement. For example, 66pc said that they were hampered by a lack of skilled resource in-house to conduct the training, while the same percentage of respondents were challenged by an unwillingness to change process and behaviours.
A majority, 55pc of IT leaders pinpointed a lack of support from the board and wider C-suite as a challenge, as well as a lack of best practice guidelines to work towards and implement (63pc). Interestingly, all of these challenges were found to be much more acute within mid-sized companies (250-999 employees).
Cloud and Internet of Things (IoT) were revealed to be the emerging technologies most widely seen as a threat to organisations, at 63pc and 62pc respectively. At the same time, 80pc confirmed that they are using these kinds of emerging technologies to “better identify threats to their business”. The cyber firm says that without the right skills in place, businesses are continuing to push ahead with the adoption of experimental technology to gain an advantage and maintain relevance in their markets. However, this is tempered by a risk factor and scepticism towards these same technologies that is felt most keenly by those at C-Level within the business, creating an interesting paradox that organisations seem to be struggling to navigate.
The compliance and regulation landscape is becoming ever more complicated, and indeed costly – 30pc of the average cyber security budget is spent on meeting compliance needs, the firm noted. GDPR isn’t the only data regulation for businesses to concern themselves with; later this year it will be complemented by the ePrivacy Regulation (ePR), also enacted by the European Union. While 92pc of respondents are aware of the latter, just 32pc completely understand how it builds on GDPR and 37pc are unaware of how it will affect their organisation.
Peter Galvin, chief strategy and marketing officer, nCipher Security says: “Organisations are under a greater obligation than ever to disclose data breaches, particularly when personal information is at risk, but evidently many IT leaders – particularly at C-Level – still feel they can avoid being subject to fines and other punitive measures from regulatory bodies. By implementing the right security measures to protect their business critical information and applications up front by using tools such as encryption, investing in training and talent as well as understanding the regulatory landscape, businesses can take steps to avoid a damaging breach in the first place.”
