Attacks/Breaches

2/2/2018
10:50 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Less than 1 in 5 Enterprises Have Customer Notification Plan for Data Breaches

Three quarters of companies subject to GDPR think they could meet the 72-hour notification window, despite the fact that the majority do not have a fully baked customer notification plan in place.

PORTLAND, Ore. – Feb. 1, 2018 – The European Union's General Data Protection Regulation (GDPR) goes into effect this May and lawmakers in the U.S. are proposing stricter data breach legislation. With increased pressure on companies to better protect data and improve notification procedures in the event of a data breach, Tripwire, Inc.surveyed 406 cybersecurity professionals to see how prepared organizations are feeling.

Findings from the study revealed that just over three quarters (77 percent) of companies subject to GDPR could meet the 72 hour notification window, with 24 percent claiming they could notify customers of a data breach within 24 hours. In addition, when asked how prepared their organization was to notify customers in the event of a data breach, less than a fifth (18 percent) said that they were fully prepared with a process in place. The majority (73 percent) said they were ‘somewhat prepared’ and would have to figure things out ‘on the fly.’

“When it comes to cybersecurity, it’s short-sighted to figure things out ‘on the fly,’” said Tim Erlin, vice president of product management and strategy at Tripwire. “The majority of data breaches and security incidents can be avoided by following basic security steps and implementing tried and tested foundational controls. With GDPR coming into effect this year, running a business without a fully baked plan is really asking for trouble.”

When asked to characterize their company’s capabilities for knowing where its customer data is stored versus for protecting customer data, respondents were more confident in knowing where the data is. Over a third (35 percent) said their knowledge of where the customer data is stored is ‘excellent’ by comparison to just over a fifth (21 percent) saying the same for their ability to protect customer data.

Other findings from the study revealed that most don’t feel they are fully prepared for any aspect of a security breach. Less than a fifth (18 percent) felt they were fully prepared with a cross functional team in place to work across IT, finance and communications. Nearly three quarters (73 percent) were not fully prepared to protect customers and only a fifth (22 percent) felt prepared to absorb potential financial penalties as a result of a security breach.

Erlin added: “There are plenty of tried and tested frameworks available from governing bodies in the cyber security space that can help organizations who feel like they’re struggling to prepare for a security incident and more specifically, GDPR. If you are an organization subject to GDPR – and as the rules apply to all companies worldwide that process personal data of European Union (EU) data subjects, that will be the majority of global businesses - you are not alone. Start researching for resources that cater to your needs now to help you prepare, so that you aren’t hit with a big fine come May 2018.”

This study was commissioned by Tripwire and carried out by Dimensional Research in November 2017. A total of 406 qualified participants completed the survey. All participants had responsibility for IT security as a significant part of their job and worked at companies with more than 100 employees.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Privacy Ops: The New Nexus for CISOs & DPOs
Amit Ashbel, Security Evangelist, Cognigo,  2/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8955
PUBLISHED: 2019-02-21
In Tor before 0.3.3.12, 0.3.4.x before 0.3.4.11, 0.3.5.x before 0.3.5.8, and 0.4.x before 0.4.0.2-alpha, remote denial of service against Tor clients and relays can occur via memory exhaustion in the KIST cell scheduler.
CVE-2019-1698
PUBLISHED: 2019-02-21
A vulnerability in the web-based user interface of Cisco Internet of Things Field Network Director (IoT-FND) Software could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External E...
CVE-2019-1700
PUBLISHED: 2019-02-21
A vulnerability in field-programmable gate array (FPGA) ingress buffer management for the Cisco Firepower 9000 Series with the Cisco Firepower 2-port 100G double-width network module (PID: FPR9K-DNM-2X100G) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) conditio...
CVE-2019-6340
PUBLISHED: 2019-02-21
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RE...
CVE-2019-8996
PUBLISHED: 2019-02-21
In Signiant Manager+Agents before 13.5, the implementation of the set command has a Buffer Overflow.