LogRhythm points out that despite the increase in cyber threats from the rise of APTs and hacktivism, “52 percent of respondents reported that the proportion of IT budget spent on security had not gone up in the last five years.” However, 77 percent indicated that the implementation of the new EC Data Protection Regulation, which proposes a two percent of global annual turnover fine, “would motivate them to increase the spending on IT security.”
Ars Technica puts the threat into perspective. Commenting on the FTC fining Google $25,000 for “noncompliance with [FCC] information and document requests,” it goes on to suggest that once the EU Regulation is in place, a 2% fine for non-compliance “could have reached €758 million ($990 million).” That is, nearly $1 billion. The result is that UK companies now seem to be taking the threat from regulations more seriously than the threat from cybercriminals.
The problem is not merely the potential size of the fine, but also the required time-frame for breach notification; and the survey indicates that UK companies do not believe they will be able to comply. Firstly, 28% of respondents said it is doubtful that breaches can be prevented, while 18 percent believe that breaches are now inevitable regardless of the security measures in place. Most independent security experts confirm that the question is not ‘if’ but ‘when’ a breach will happen. So the real compliance issue is whether companies will be able to report a breach within the required 24 hour period. Here, 87% of the survey respondents believe they would not be able to identify the individuals within the required time, 13% believe it will take about a week, and six percent do not believe they will ever be able to accurately find the information.
This alone could lead to the separate problem of ‘over-disclosure’, a tendency to issue blanket breach notifications to be sure of catching everything. The problem here, says, LogRhythm’s Ross Brewer, is that “the severity of an incident may be overstated, leading to a loss of confidence amongst potential and existing customers. In addition, the cost of informing an individual their data may have been stolen is just as high as telling them it definitely has and is often an unnecessary expense.”
It is worrying, he concluded, “that so many organizations’ IT security decisions seem to be motivated by non-compliance and the threat of financial penalties, rather than a desire to employ a best practice approach. Unfortunately it appears that these attitudes stem from the top as 50% of respondents stated that new regulations are one of the main ways of engaging senior level staff with the IT security decision making process.”