According to IDC Spain, only 10% of the Spanish companies are prepared to comply with the GDPR. Globally, Crowd Research Partners states in its “EU GDPR Report” that although 90% of organizations are familiar with this regulatory framework, 30% of the organizations are not yet ready to adopt the new regulation.
In addition, Panda Security warns of how cybercriminals can profit from this new regulatory framework, through what it has dubbed the company “Cyberchantaje”.
The GDPR is one of the big challenges of 2018
The Bitglass company made a series of security predictions for 2018. Among them, he highlighted the human factor in cybersecurity.
“Human errors are the biggest security risk that companies face in 2018,” said the company’s CEO, Rich Campagna. “Businesses are exposed because employees can share files externally, access data from unmanaged mobile devices, and disclose their credentials to malicious users. Next year, companies that have not modernized their security solutions to address these concerns will inevitably suffer a security breach.”
He also stressed that corporate passwords, the CEO states that there will be a trend towards “multi-factor authentication and dynamic identity management. These advanced capabilities will identify suspicious logins and block them before a breach occurs“. Therefore, these security mechanisms will become stricter to avoid security breaches, forcing cybercriminals to sophistry attacks like phishing.
On the other hand, emerging technologies such as machine learning will begin to be used by attackers, seeking to improve the scope and power of their malware. Campagna warns that this could prove lethal to companies.
But one of the big security challenges that companies will face this new year is the entry into force of the GDPR. This is due, among other issues, to the unprepared number of companies. Many are unaware of how to maintain adequate compliance, excelling in areas related to cloud and data security on these platforms, leading to a wave of sanctions accordingly.
“The first economic sanctions under the new law will cause them to be hastened to achieve compliance. One or more companies that don’t can go bankrupt,” said EMEA region director Eduard Meelhuysen.
A 30% of the companies are unprepared
The GDPR will involve companies making changes to their security policies and technologies, paying greater attention to data management, especially those relating to customers.
But according to a survey conducted by Crowd Research Partners, while 90% of the organizations are familiar with this regulatory framework, 30% of the organizations are not yet ready to adopt the new regulation. Although for more than half of them (65%), compliance with this regulatory framework is a priority, although it differs depending on the industry.
The main industries particularly interested in meeting the regulatory framework are those related to technology, energy and financial services, being among the top three priorities.
Another survey conducted by Commvault comes to a similar conclusion. According to the company, 87% of the CIOs surveyed recognize that their current policies as well as their procedures pose risks within this new regulatory framework. And, 58% of the US respondents believe that sanctions will be imposed on their companies as a result of the GDPR. In addition, only 21% has practical knowledge of the GDPR and only a 17% understands the impact this legislative framework will pose to your company.
But, among the main barriers to its adoption is first and foremost the lack of budget, which affects 32% of the respondents. Second, 29% does not have sufficient knowledge of regulation, and a 28% does not have skilled staff in related matters.
To try to fill these gaps and address compliance, almost half of companies (49%) plan to inventory user data, as well as map the categories protected by the GDPR. In addition, a 31% will design applications and databases to have a particular data privacy enabled, as well as auditing to track fraudulent data records with personal information (28%).
However, 50% of the companies surveyed will spend less than 5% of the SECURITY IT budget compliance with GDPR policies.
Only 10% of The Spanish companies comply with the GDPR
In Spain only 10% of the companies comply with the GDPR. However, most of it is trying to make the necessary changes to welcome the new legislative framework. Proof of this is that a 25% of the Spanish companies declare that they already have a consolidated planning aimed at ensuring compliance, although there is still a large majority (65%) that has not programmed a strategy that ensures that they enter within regulation.
By contrast, 18% of the European organisations – especially Germany, which is 26% already in accordance with the legislation. In second place is United Kingdom (24%), followed by Italy (20%).
“However, the situation is increasingly positive, as one in 3 Spanish companies considers the new regulation as a competitive advantage or an opportunity to improve efficiency or review the government of information,” says Laura Castillo, senior analyst at IDC Research Australia.
What’s this all about? According to IDC Spain, the first reason is that it is not seen as a priority in 56% of the cases. Also the resources are limited for 49% of the Spanish companies and a considerable percentage (42%) do not know part of this legislation, although the vast majority have heard of it (96%), 59% presents great doubts important how important what data to protect, how to manage it, what security measures are needed, etc., that make planning and implementation very difficult.
It’s a more reputational problem than an economic
Commvault reported that only a 12% understands how GDPR will affect cloud computing, and many fear adding a new risk factor when implementing this technology. Despite the clear ignorance, IDC points out that just over half (53%) of organizations will deploy cloud solutions. But, many companies have decided that they will migrate their services to suppliers in Spain (23%), Europe (4%) or to their own datacenters (6%).
“It is very important that cloud service users are aware that responsibility for GDPR compliance cannot be outsourced to a service provider. This does not exempt suppliers from applying the necessary security measures and communicate it to their customers,”they stress from the consultancy.
Indeed, this ignorance has led to 90% of the organizations recognizing that they will resort to the help of external companies. When it comes to deciding who to turn to, specialization is a key factor, especially in solutions related to local security and the legal approach. Therefore, the most demanded aid will come from consultants who are specialized in risk (39%), local IT service organizations (36%) and law firms (35%).
IDC also emphasizes that compliance with the new regulatory framework has a more reputable than economic factor, because 80% of users who feel that their personal data may be infringed say they will not trust the company again.
“GDPR regulates the collection, storage and use of “personal data”, i.e. any information that serves to identify a natural person. This ranges from concepts as easily identifiable as name or email, but also an IP address, information from cookies”, explain from IDC Research Spain.
But, if they want to convey security to customers, companies will need to control “dark data,” that is, those that companies don’t have visibility when it comes to unstructured or duplicated content, which can be up to 70-80% of Data. In addition, data loss can also hinder security vision, making it a challenge for just over half of companies (53%).
“This is essential for employee training and awareness initiatives,” said Laura Castillo of IDC Research Spain.
However, the economic factor cannot be denied either, as penalties can be up to 20 million euros or 4% in global turnover.
GDPR could lead to “cyberblackmail”
Despite all the benefits and risk prevention it looks like the new legislative framework will bring, Panda Security highlights that it may also bring some security threats.
The GDPR obliges companies to report any incidents related to information security, not doing so results in large economic penalties. In addition to keeping the PII (Personally Identifiable Information) information in order to keep the information in order to be the information of its employees and customers. According to Commvault, the 18% companies declare that they have the ability to delete data from all their information platforms and only 9% believes that they will be able to anonymize data optimally and an 8% doubt to have the ability to transfer data to other companies when a customer asks.
This could cause cybercriminals to see the opportunity to make “cyber-blackmail” i.e. ransom to companies for stolen information and if the company does not access, threaten to inform GDPR compliance managers.
Therefore, three threats are added: the spread of PII information, the fines that could come from the company’s lack of compliance, as well as the reputational consequences arising from the incident. And even if the company agrees to cyber-blackmail, it is not certain that the information will not be propagated or that the blackmail will end there.
In addition, hacktivists can see their own benefit in the new regulation. Because those companies or institutions that locate security breaches that could call into question their compliance can use e-mail to force them to make changes to their policies.
Another case that Panda Security warns is related to the right to be forgotten and the obligation to notify, by which a customer can request the deletion of their data from any information support belonging to the company. This could result in cyber attackers trying to find bases where customer information appears that is supposed to have been removed in order to receive financial compensation.
This is serious, since according to Commvault, only 16% of the companies surveyed believe that they will be able to find customer data imminently under that right and a 5% declares that they will not be able to find all that data. Most companies (36%) would take hours, a 25%-day and 18%-week.
True, the obligation to report such accidents begins when the company is aware that it has suffered an incident, but this blackmail could result in a time trial battle with cyber attackers.
