As GDPR deadline nears, businesses are confused and unprepared

The countdown is on—global businesses now have just six months until the General Data Protection Regulation (GDPR) is enforced.

But a recent study from cybersecurity solutions firm Trend Micro Incorporated reveals confusion among businesses about the regulations, with 30 percent unable to agree on what “State of the Art” security requirements entail.

The firm’s survey found wide variation on the definition of “State of the Art” security among 1,000 IT decision makers from businesses across the globe:

• While 30 percent of businesses define “State of the Art” as buying security from an established market leader, another 17 percent think it means using products that pass independent third-party tests.
• Additionally, 16 percent believe it refers to products that are highly rated by analyst reports, and 14 percent think it covers startups providing innovative technology.
• Worryingly, 12 percent of IT decision makers are more concerned about the price of security products than whether the products they invest in meet GDPR requirements, and 9 percent were unable to provide a definition at all.

“There are many hurdles for businesses to overcome in establishing GDPR compliance—trying to demystify what ‘State of the Art’ means is but another challenge on the list,” said Rik Ferguson, vice president of security research for Trend Micro, in a news release. “Regulatory enforcement bodies should offer further clarification on what ‘State of the Art’ means, so businesses can ensure they’re not stepping into a fine once May 2018 arrives.”

A breach of trust

Another hurdle for businesses to conquer involves the new timeline in regards to informing regional Data Protection Authorities, like the Information Commissioner’s Office (ICO) in the UK, and customers affected in the event of a data breach.

• Despite this, just 63 percent of businesses have a notification process in place for their customers. And, in countries like the U.S., there is a state-by-state approach requiring (or not) notification of a breach occurring.
• However, against GDPR guidelines, 21 percent of companies have a process to inform their data protection authority but actually avoid notifying customers.
• Companies are also not currently prepared to handle their customers’ ‘right to be forgotten,’ despite 63 percent citing that customers are asking for more transparency when it comes to the use of their data.
• While 77 percent have a process in place for data they collect, only 64 percent can process requests for data their partners collect.
• In addition, only 63 percent can process data their cloud service providers hold and 60 percent can fulfil requests relating to data third party agencies collect.

GDPR purchasing priorities

While mandating state of the art security does enable GDPR to maintain relevance in the face on continual technology advancement, the lack of specific approach definitions has introduced confusion and challenges around prioritization of technology.

• The most commonly implemented solution is intruder identification technology, with 34 percent incorporating it into their organization.
• Data leak protection (DLP) technology is also used by 33 percent of businesses, while 31 percent have started encrypting their data.
• Additionally, 29 percent are encrypting passwords or implementing hardware lockdowns to combat infected USB sticks.

Despite these cybersecurity purchases, this research reveals that the majority of organizations have not taken steps that would qualify their approach as state of the art, suggesting that they are depending on single purpose or legacy defenses rather than taking a multi-layered approach.

To ensure data is as secure as possible, a layered cybersecurity defense must be implemented to ensure protection at every level of the IT environment.

However, it’s not just about technology

Investing in education is also a GDPR priority. The research shows 63 percent of organizations have not yet started to raise awareness, and only 33 percent having introduced a new data protection policy.

“Educating employees and updating data protection policies is all well and good, but if corporate data isn’t protected, intruders can’t be detected, and if protections aren’t in place to prevent data leaks, businesses don’t have a cybersecurity strategy,” Ferguson continued. “There’s no silver bullet to cybersecurity; it’s an all-encompassing war in which multiple techniques are necessary to fight hackers’ increasing pragmatism. Any business that doesn’t realize this quite simply won’t be compliant with the regulation.”

Watch Trend Micro’s GDPR webinar here.

The survey included responses from IT decision makers at businesses with 500+ employees in 11 countries, including USA, UK, France, Italy, Spain, Netherlands, Germany, Poland, Sweden, Austria and Switzerland.