Cyber security company Trend Micro has conducted a survey finding that C-level executives are not taking the upcoming General Data Protection Regulation (GDPR) seriously enough.
The survey has found up to 16% of respondents don’t believe they will be impacted by the regulatory scheme, and more than a quarter (28%) admit they have limited or no processes in place for risk management and cloud security within their organisation.
The company says the results indicate some confusion as to exactly what Personally Identifiable Information (PII) needs to be protected.
Of those surveyed, 64% were unaware that a customer’s date of birth constitutes as PII and 42% wouldn’t classify email marketing databases as PII.
32% also don’t consider physical addresses and 21% don’t see a customer’s email address as PII either.
These results indicate that businesses are not as prepared or secure, as they believe themselves to be, as this data provides hackers with all they need to commit identity theft, with businesses facing fines for non-compliance.
Indi Siriniwasa, Trend Micro A/NZ managing director for enterprise and government says it’s concerning that so many Australian organisations are not prepared for the new legislation.
“It has never been more important for organisations to make cybersecurity a key priority, and protect the interests of their customers against cyber security attacks," he says.
“Not only is this a security and prevention issue, but it can also have a disastrous impact on both brand and reputation.”
According to the global survey, 66% of respondents appear to be dismissive of the amount they could be fined without the required security protections in place.
Additionally, 66% of businesses believe reputation and brand equity damage is the biggest pitfall in the event of a breach, with 46% of respondents claiming this would have the largest effect on existing customers.
Trend Micro says these attitudes are especially alarming considering businesses could be shut down in the event of a breach.
In addition, the survey has found businesses aren’t sure who should take ownership of ensuring compliance with the regulation.
Of those surveyed, 31% believe the CEO is responsible for leading GDPR compliance, whereas 27% think the CISO and their security team should take the lead.
The survey has found only 21% of those businesses actually have a senior executive involved in the GDPR process.
Siriniwasa adds, “Increasingly, cyber security is being addressed by executives at a board level which has been triggered mainly by the widespread awareness around the financial and reputational threat that outbreaks such as WannaCry and Petya have had on organisations around the world.
“It’s important for key decision makers including board executives to take shared responsibility to drive much-needed industry change.”
With threats growing in sophistication, businesses often lack the expertise to combat them, and layered data protection technology is required.
GDPR mandates that businesses must implement state-of-the-art technologies relative to the risks faced.
Despite this, only 34% of businesses have implemented advanced capabilities to identify intruders, 33% have invested in data leak prevention technology and 31% have employed encryption technologies.
The GDPR scheme will be implemented globally on the 25th of May 2018.