Businesses unable to comply with EC 24 hour breach notification

UK businesses do not believe they have the capability to comply with new European Commission Data Protection Directive rules, specifically the ability to generate accurate breach notifications in the event of a data leak.

The LogRhythm research, which surveyed 200 IT decision makers at UK businesses with more than 1,000 employees, found 87 percent of respondents would be unable to identify individuals affected by a breach within the proposed 24 hour notification timeframe.

Furthermore, 13 percent claimed it would take them between one week and a month to pinpoint which customer data was affected, while six percent did not believe they would ever be able to accurately obtain this information.

When asked more specifically about their ability to produce accurate breach notifications, 72 percent of respondents stated that the implementation of a 24 hour notice period would put their organizations at risk of “over-disclosure’.

This is when organizations are forced to reveal more information than is strictly necessary, for example notifying every individual who might have been affected by a breach rather than just those who definitely were.

Over-disclosure is an issue that has been causing concern in locations, such as the United States, that already have breach notification laws in place,” said Ross Brewer, vice president and managing director for international markets at LogRhythm. “The issuing of blanket breach notifications will inevitably have negative repercussions for the affected organization. For example, the severity of an incident may be overstated, leading to a loss of confidence amongst potential and existing customers. In addition, the cost of informing an individual their data may have been stolen is just as high as telling them it definitely has and is often an unnecessary expense.”

The LogRhythm research also provided an insight into the motivations driving the decisions behind IT security strategy. Despite an escalation in the cyber threat in recent years, caused in part by the increasing sophistication of Advanced Persistent Threats (APTs) and the rise of “hacktivism’, 52 percent of respondents reported that the proportion of IT budget spent on security had not gone up in the last five years.

In addition, 77 percent stated that the implementation of data breach penalties, such as the EC’s proposed two percent of an organization’s global turnover, would motivate them to increase the spending on IT security.

The study provided further evidence of the lack of network visibility that seems to be common amongst organizations today. When asked if their company had ever experienced a security breach incident 27 percent responded that they did not know. In addition, 47 percent of respondents admitted that data is only analyzed after a security event has occurred rather than on a proactive basis.

While this research suggests that security spend is not going up, it does show that organizations are beginning to realize how effective modern cyber threats are at achieving their goals. 28 percent of respondents said it is doubtful that breaches can be prevented, while 18 percent believe that breaches are now inevitable regardless of the security measures in place.

Brewer continued: “It is worrying that so many organizations’ IT security decisions seem to be motivated by non-compliance and the threat of financial penalties, rather than a desire to employ a best practice approach. Unfortunately it appears that these attitudes stem from the top as 50 percent of respondents stated that new regulations are one of the main ways of engaging senior level staff with the IT security decision making process.

“It was also a surprise to find that almost half of respondents are still employing a post-event analysis approach when the general feeling is that traditional security solutions are no longer able to prevent breaches. Clearly a best-practice approach would be to employ continuous collection and analysis of all log data generated by the IT estate.

This would provide the traceability required to detect any early indication of an impending attack. Effective remediation of threats, and limitation of the damage they can cause, depends on organisations having this ability to combat them in the early stages, something only proactive Protective Monitoring can provide.”