A recent study ordered by LogRythm, a company that offers cyber threat defense, detection and response services, reveals that 87% of organizations from the UK would be unable to identify individuals that have fallen victims to a data breach as requested by EU regulations.
The new European Commission Data Protection Directive rules state that a firm that falls victim to a data breach must be able to identify the individuals affected by it in a matter of 24 hours.
According to the research that surveyed 200 IT managers from large British companies, most of them do not have the necessary policies and mechanisms that would help them achieve this feat. Furthermore, 13% of the respondents admitted that it would take them up to a month to determine exactly what type of customer data has been affected.
Another 6% of the decision-makers said that they didn’t think they could ever accurately identify the victims of a data breach that targeted their companies.
Other figures show that more than a quarter of the organizations from the UK don’t even know if they’ve suffered a data breach in the past. Also, half of the questioned managers stated that data was analyzed only in case of a breach, around the same number admitting that their budgets allocated for cybersecurity haven’t increased in the past 5 years.
However, there’s one thing that appears to motivate a large number of companies to take more active measures: penalties.
“It is worrying that so many organisations’ IT security decisions seem to be motivated by non-compliance and the threat of financial penalties, rather than a desire to employ a best practice approach,” Ross Brewer, vice president and managing director for international markets at LogRhythm, said.
“Unfortunately it appears that these attitudes stem from the top as 50 percent of respondents stated that new regulations are one of the main ways of engaging senior level staff with the IT security decision making process.“