Companies at the recent Infosecurity Europe 2019 conference were well-prepared with data breach response plans, but less sure about which breaches to report, according to a survey conducted at the show.
Security company Tripwire surveyed 298 IT security professionals to find out how much they knew about disclosure requirements.
One of GDPR’s big requirements involves declaring data breaches within 72 hours. However, some respondents couldn’t, and depending on the type of incident, some wouldn’t.
Most of the respondents said that they can comply with the 72-hour rule at this point, but 14% could not.
The type of security incident also played a part here. Tripwire found 21% of respondents unwilling to disclose accidental data exposure through the cloud (an increasing occurrence thanks to misconfigured public-facing software). Of the rest, 23% said “maybe.”
The responses were similar when it came to ransomware attacks. While slightly more than two thirds (67%) of respondents agreed that they should report a ransomware attack to customers and regulators, 20% were unsure and 13% said that they didn't need to.
The uncertainty around ransomware is understandable. Tripwire said that when it comes to security incidents like these, the devil is in the detail. There are three kinds of reportable breach under GDPR, it explained: confidentiality, integrity, and availability (the famous 'CIA' security trio).
“While the loss of access to data might only be temporary and not allow us to apply the availability principle (presuming you can restore from a backup plan), the ‘unauthorized access’ part of the confidentiality principle could be invoked once again depending on the particular details,” it said.
Tripwire found a more unanimous response when it asked companies about their incident response preparedness. The majority (92%) of companies had an incident response plan, with most updating it on a regular basis. Only 5% hadn't updated it in more than a year, with 22% updating their response plans annually. An impressive 20% audited their response plan on a weekly basis, although it wasn't clear how extensive or detailed a weekly audit would really be. Still, the fact they're regularly thinking about these plans is encouraging.
Having a plan is only half the battle. The other half is communicating and enforcing it. The results were positive here, too. The survey also found that 74% of companies had implemented data breach prevention or response training for employees. Of the remainder, 11% didn't know if they had or not.
There's always a danger of a statistically skewed base with these in-conference surveys, because the folks attending a security conference will naturally be a little more aware of the issues and engaged. Still, it's encouraging to see so many respondents taking incident response seriously, even if they're not entirely sure about the nuances on the data breach reporting side.