GDPR spurs companies to boost cybersecurity precautions

01 February 2018 Consultancy.uk

The rapidly approaching enforcement of the new General Data protection regulation in May 2018 has spurred companies across the UK to up their efforts to become compliant. A new study finds overlap between companies that have or are becoming compliant and improved cybersecurity behaviours – strengthening wider consumer and company data defences.

Cybersecurity has become an increasingly pressing issue, with businesses susceptible to various forms of attack – from direct hacks to social engineering. The threat landscape continues to evolve, with two major vulnerabilities, Meltdown and Spectre, recently uncovered, while attack vectors continue to rise. In terms of impact, one recent study placed global economic damage in the order of $440 billion, while businesses collectively foot a $280 billion bill for failures.

Given the risk to customers and clients from breaches of personal and sensitive information, governments in Europe developed the GDPR, which, when enforcement begins next May, impose stiff penalties on companies that do not meet compliance standards.

Connection between cybersecurity and GDPR

Readiness for the GDPR among businesses affected and cybersecurity complement each other – finds a new Marsh study, titled ‘GDPR Preparedness: An Indicator of Cyber Risk Management’, into current industry trends. The study involved 1,300 executives representing a range of industries and organisations worldwide.

The new legislation is one of the most sweeping changes to privacy rights and obligations to have taken place in years. The policy, which will significantly bolster EU residences’ rights regarding information about them, also offers a strong background for cybersecurity – with encryption becoming the norm while requirements for breach reporting (within 72 hours) bolsters event management capacities.

Attack not if but when

However, while being GDPR compliant creates a strong background posture for cybersecurity, current compliance levels remains relatively low – 8% say that they are currently fully compliance, while 57% say that they are developing a plan to become compliant, while 11% say that they have no plan.

The difference between companies that are fully compliant and have no plan in terms of key cybersecurity practices, is relatively stark. The number that have developed a cyber incident reporting plan stand at 49% for fully compliant and 10% with no plan, while for encrypted computers the difference is 69% and 38% respectively. Fully compliant firms were also found to be three times more likely to adopt some cybersecurity measures and four times more likely to adopt a cyber resilience measure.

Organisations continue to face considerable threat from the adversaries. In the past 12 months, 23% of respondents subject to the GDPR said that they were the victim of a successful cyberattack. Opening them up, when such breaches affect users’ privacy, in potentially stiff fines.

Organisation preparation levels by preparation level

The new rules will push companies to as best they can, to prepare their businesses for a more robust care for the rights of customers to privacy and personal security. The companies preparing themselves for compliance with the GDPR were also found to investing more to address cybersecurity related risks than companies with no plan. 78% of respondents in ‘compliance or developing a plan’ said that they have increased spending, while 18% say that spending is flat – for the no plan group spending increases stood at 52% while 38% said that it remained flat.

In terms of the completion of 14 key cyber risk actions taken by the different groups, the ‘compliance or developing a plan’ was much more likely than the ‘no plan’ group to have completed 10-14 actions, 22% and 9% respectively, while in the 4-9 actions segment, 54% and 36% respectively were said to be completed. A large number of ‘no plan’ respondents, 47%, have completed 0-3 steps.

Adoption of cybersecurity behaviours and techniques

The GDPR has also structured companies seeking to become compliant into various cybersecurity risk management actions. For instance, when comparing companies that have no plan and those that say that they are compliant or are developing a GDPR plan, 38% verses 56% said that they encrypt organisational desktop and laptops – something explicitly encouraged by the GDPR. While 17% and 56% said that they have engaged in penetration testing, something strongly implied by the GDPR.

Other cybersecurity management actions include conducting a cybersecurity gap assessment, cited by 38% and 67% respectively, and implementing / enhancing phishing awareness training for employees, cited by 50% and 66% respectively.

More on: McKinsey & Company
United Kingdom
Company profile
McKinsey & Company
McKinsey & Company is a Global partner of Consultancy.org
Partnership information »
Partnership information

Consultancy.org works with three partnership levels: Local, Regional and Global.

McKinsey & Company is a Global partner of Consultancy.org in Middle East, Africa, Asia, South Africa, Australia, Europe, India, Latin America, Netherlands, United Kingdom, Canada and United States.

Upgrade or more information? Get in touch with our team for details.

Send
Consulting firms of all sizes celebrated in annual ranking
United Kingdom
Consulting firms of all sizes celebrated in annual ranking The Financial Times has released the 2025 edition of its UK’s Leading Management Consultants ranking.
01 April 2025
McKinsey to keep diversity on the agenda
United States
McKinsey to keep diversity on the agenda McKinsey & Company has pledged to keep its diversity goals in place, according to a memo from global managing partner Bob Sternfels.
19 February 2025
Former McKinsey business analyst hired to Musk’s DOGE ‘nerd army’
United States
Former McKinsey business analyst hired to Musk’s DOGE ‘nerd army’ Elon Musk has hired recent graduate Kendall Lindemann, a former McKinsey & Company business analyst, to the growing team at DOGE, though the young recent graduate has little professional experience t
14 February 2025
McKinsey mulls sale of in-house asset manager MIO Partners
United States
McKinsey mulls sale of in-house asset manager MIO Partners McKinsey & Company is mulling the potential sale of MIO Partners, the in-house asset manager that invests the private wealth of its partners and alumni.
03 February 2025
McKinsey & Company inks strategic alliance with C3 AI
United States
McKinsey & Company inks strategic alliance with C3 AI McKinsey & Company, a New York-headquartered management consulting firm, has signed a strategic alliance with C3 AI, a Silicon Valley-based enterprise artificial intelligence software company.
31 January 2025
Global retail sector heading for slim growth in 2025
United Kingdom
Global retail sector heading for slim growth in 2025 The fashion industry is set for slow but steady growth in 2025, according to new McKinsey & Company research.
20 November 2024
AI energy demand could hinder net zero progress and outstrip supply
United Kingdom
AI energy demand could hinder net zero progress and outstrip supply According to a new study from McKinsey & Company, the fervour for digital and AI capabilities is creating greater energy needs – even as the world struggles to meet its pre-GenAI net zero targets.
18 November 2024
Emirates NBD partners with McKinsey to drive AI and advanced analytics
United Arab Emirates
Emirates NBD partners with McKinsey to drive AI and advanced analytics A few years ago, Dubai’s government-owned bank Emirates NBD entered into a partnership with strategy consulting firm McKinsey & Company with the aim of turning the bank into a leader in artificial in
18 November 2024

Cyber Security news

Cyber Security consulting firms Cyber Security consulting services

Privacy news

More Privacy