Many global business decision makers are still unaware of the implications of the forthcoming General Data Protection Regulation (GDPR), as well as other compliance regulations such as the Payment Card Industry Data Security Standard (PCI-DSS) and ISO27001/2, reports NTT Security.
The newly-published 2017 Risk:Value report commissioned by the company, the specialised security company of NTT Group, also reveals that one in five of those surveyed admits they do not know which regulations their organisation is subject to.
The report, which looks at attitudes to risk and the value of information security to the business, is based on a survey of 1,350 non-IT executives across 11 countries. It reveals that just four in 10 respondents globally believe their organisation will be subject to the European Union (EU) GDPR.
Perhaps of most concern is that 19% admit they don’t know which compliance regulations they are subject to. In the UK, just 39% of respondents identify GDPR as a compliance issue, and 20% admit they don’t know, while those outside of Europe are even less aware. Just a quarter of business decision makers in the US, 26% in Australia, and 29% in Hong Kong believe they are subject to the GDPR, although it will apply to any business holding or collecting data on European citizens.
Coming into force on 25 May 2018, the legislation leaves companies with less than a year to comply with strict new regulations around data privacy and security and could result in penalties of up to €20m or 4% of global annual turnover, whichever is higher.
With data management and storage a key component of the GDPR, one in three respondents do not know where their organization’s data is stored, while just 47% say all of their critical data is securely stored. Of those that know where their data is, only 45% describe themselves as “definitely aware” of how new regulations will affect their organization’s data storage.
Those in the financial services/banking and computer services/technology sectors are most likely to know where their data is stored and which compliance regulations they are subject to.
“In an uncertain world, there is one thing organisations can be sure of and that’s the need to mark the date of 25 May 2018 in their calendars,” Garry Sidaway, senior vice president (SVP) security strategy and alliances at NTT Security.
“While the GDPR is a European data protection initiative, the impact will be felt right across the world for anyone who collects or retains personally identifiable data from any individual in Europe. Our report clearly indicates that a significant number do not yet have it on their radar or are ignoring it.
“Unfortunately, many organisations see compliance as a costly exercise that delivers little or no value, however, without it, they could find themselves losing business as a result, or paying large regulatory fines.”
Among the report’s findings on quantifying the threat:
• One in eight respondents believe that poor information security is the ‘single greatest risk’ to the business. The most commonly reported risk is ‘competitors taking market share’ (28%).
• Fifty-seven per cent of decision makers believe a data breach is inevitable at some point.
• The impact of a breach will be two-fold, with respondents expecting a breach to affect their long-term ability to do business, together with short-term financial losses. More than half (55%) cite loss of customer confidence, damage to reputation (51%) and financial loss (43%), while 13% admit staff losses and 9% say senior executive resignations would impact them.
• The estimated cost of recovery, on average, has increased from US$907,000 in 2015 to US$1.35m in 2017. Over the same period, the estimated impact on revenue has decreased from 12.51%, but is still a significant 9.95%.
• Fifty-six per cent of decision makers report that preventing a security attack is a regular item on the board agenda, suggesting that more needs to be done to get it taken seriously at a boardroom level.
• Respondents estimate on average that only 15% of their organisation’s IT budget is spent on information security – although this figure has risen from 13% in 2015 and 10% in 2014. Many report that they spend less on security than on research and development (R&D) (31%), sales (28%), and marketing (27%).
Among the report’s findings on driving a culture of security:
• Fifty-six per cent of business decision makers say their organisation has a formal information security policy in place, up from 52% in 2015, while 27% are in the process of implementing one and just 1% have no policy or plans to implement one.
• However, while 79% say their security policy has been actively communicated internally, only 39% report that employees are fully aware of it. Germany and Austria (85%) are above average in communicating the policy, together with the US (84%) and the UK (83%).
• The percentage of respondents with an official information policy is unevenly distributed on a per-country basis. In Sweden, the figure is just 30%, while in the UK, 72% claim an official policy. By sector, healthcare leads the way, with 69% of companies claiming an official information security policy. Finance comes a close second (66%).
• Only 48% of organisations have an incident response plan, although 31% are implementing one. But just 47% of decision maker respondents are fully aware of what the incident response plan includes.
The survey, conducted between March and May this year, canvassed the views of non-IT business decision makers in the US, UK, Germany and Austria, Switzerland, France, Sweden, Norway, Hong Kong, Australia and Singapore.