An FoI request to the Information Commissioner’s Office (ICO) has revealed cause for concern over whether businesses on the run up to the implementation of GDPR were preventing, detecting and responding to security threats and breaches in a good and compliant way.
Delay In Identifying and Reporting
An FoI request to the ICO by threat detection and response firm Redscan found that, in the year leading up to the implementation of GDPR on 25th of May, many UK businesses appeared to be routinely delaying data breach disclosure to the ICO.
The data revealed in the request indicated that companies took an average of 60 days to identify that they’d been a victim of a data breach and an average 3 weeks after discovery to report a breach to the ICO. The worst offending business (in the data revealed) took a massive 44 months to identify a breach, and some organisations took an average of 142 days to report their breaches to ICO.
Financial and Legal Quicker at Identifying & Reporting Breaches
The FoI data did, however, show that financial and legal sector organisations were better at identifying and reporting breaches. For example, financial services firms took 37 days to identify a breach and legal firms took 25 days. These figures compare favourably to the general business category where companies took 138 days to identify breaches.
Also, when it came to reporting the breaches, financial services companies took an average of 16 days and legal firms an average of 20 days. These figures, again, compare favourably to ‘general business’ category organisations which took 27 days on average to report breaches to the ICO.
Full Impact Not Reported
The requested data also showed that 9 out of 10 businesses did not fully specify the nature and impact of the breach to the ICO.
Dates Not Reported
The same figures showed that 21% of businesses did not report the breach incident date, and 25% did not report the breach discovery date to the ICO. It may be fair to assume that these figures could indicate that businesses may have either lacked awareness about the breaches or perhaps made a conscious decision to withhold important information due to fear of the consequences.
Most Hacks Happen At Weekends
The FoI data also showed that hackers tend to prefer attacking at the weekends as this is most likely to be the time when many Monday to Friday businesses are not monitoring for threats and essentially have their guard down, and attackers have two days to break into systems. For example, the requested data showed that more than three-quarters of incidents happen on a Saturday.
What Does This Mean For Your Business?
This data relates to behaviour before the introduction of GDPR, but with GDPR now in place, and with the legal risks (big fines) and reputational stakes now escalated, businesses need to make sure that they can be compliant going forward.
Attacks are getting more diverse in nature, are occurring across a wider front, and are becoming more sophisticated. Businesses must, therefore, make sure that they have the appropriate skills, technology, controls and procedures in place to identify a breach in the first place
Also, businesses now need to make sure that they report identified breaches in enough detail, and within 72 hours of becoming aware of the breach, where feasible. These things are now vitally important as reporting requirements are much stricter under GDPR.
The fact that most businesses are hit by hackers at weekends indicates that businesses need to ensure that they have 24/7, 7-day-a-week controls, defences and procedures in place to be able to protect their systems and the data they hold.