Just one-fifth of businesses disclose cyber-breaches despite GDPR

16 October 2019 Consultancy.uk

A large portion of European businesses are knowingly failing to disclose cyber-security breaches to the public, in spite of facing heavy punishments under GDPR law if they are caught out. According to a new study, just 19% of corporate entities declared hacks when they happened in the last five years, despite a majority of 66% understanding their obligations to report to the Data Protection Authority.

Since May 2018, the General Data Protection Regulation (GDPR) has been the chief EU regulation which governs how organisations manage and structure their customer and employee data. Many of the stipulations are already covered in the UK’s Data Protection Act, but since May 2018, organisations have to prove they have proper data-processing controls in place and that they comply with GDPR. The legislation impacts all domestic and international businesses operating in the EU – threatening those which fail to protect customers information with hefty fines of up to €20 million or 4% of global revenues, depending on which is largest.

Despite the severity of the punishments for companies which fall foul, however, many companies continue to drag their feet on the matter of compliance. A year on from the launch of the infamous directive, a study of Europe’s businesses released in the summer found that a third were still not compliant with the rules. At the same time, a similar number of businesses said the regulations make it more difficult to trade with firms outside Europe. This suggests that a number of businesses may be consciously risking falling foul of data law, and the security of consumer details – for the sake of maintaining existing trade relations.

Just one-fifth of businesses disclose cyber-breaches despite GDPR

Now, a new report has found that the situation may actually be substantially worse. According to RSM’s Catch-22 report, which looks at the need for digital transformation and the risks posed by cyber threats, data collected from middle market businesses across Europe by the European Business Awards, a majority of businesses claim to understand their obligations under data law, yet less than one-fifth of firms are committed to transparently informing the public when they suspect they have been hacked.

The researchers found that 75% of attacks never become public knowledge despite GDPR breach notification requirements. When asked if they fully understood in what circumstances, or level of data breach, they should inform the Data Protection Authority when a potential breach of personal data has been detected, 34% of respondents said ‘no’. This suggests that of the 66% who responded differently, a number must both understand the requirements, and be ignoring them.

In terms of the impact of a data breach on the company, many firms also indicated their heads were still firmly in the sand. Close to half said they did not know what effect a data breach had had on their firm. Of those that did monitor the fallout of a hack, 31% suggested internal morale had taken a beating from cyber-attacks, 14% said it led to a loss in revenue, and 7% said it damaged the brand – suggesting that 48% firms would be better advised taking pro-active action on hacks in future, rather than simply hoping the fuss blows over.

Just one-fifth of businesses disclose cyber-breaches despite GDPR

For businesses, there are multiple requirements to tackle the threat to cybersecurity. Firms place most importance on effective security software, with 46% of the 597 business leaders polled identifying that as a priority. However, the human aspect of the fight against cyber-crime seems slightly neglected by comparison. While 38% of those questioned said the availability of skilled IT talent was a priority, a smaller 30% said accessible training was high on the agenda.

This remains a major blind-spot for many businesses in terms of security. As organisations become more aware that bad cyber-security practices leave their businesses open to infiltration and breaches, it remains the case that many employees and bosses remain unwilling to apply this logic to their own behaviours. Last year, a survey found that while close to two thirds of individuals were “really worried” about digital identity theft, more than one in 10 would share their password with a colleague, among other issues.

To that end, RSM found that 46% of successful attacks targeted employees via emails in a practice known as phishing, taking advantage of the fact 22% of businesses still providing no cyber-security training to their staff. Suggesting that this is not changing quickly enough, RSM found that 7% of respondents believed it was “not their position to know” if the firm had ever had a cyber-breach, while 30% simply did not know. Without informing staff on the situation, it is hard for employers to make the matter a priority, or to be mindful of future scams.

Gregor Strobl, Co-Head of Risk Advisory Services, RSM Germany, said of the findings, “Without question, human error is inevitable and poses the biggest security risk to businesses. When it comes to cybersecurity, it is costing European middle market businesses dearly… It is vitally important to ensure that staff know how to recognise and respond... It is troubling, but unsurprising, that so few cyberattacks are ever made public to the authorities or affected businesses. Transparency is key to raising awareness, catching criminals and minimising the damage but the rules need to be clearer and applied more consistently.”