By Jake Olcott, VP of Strategic Partnerships at BitSight
After years of debate over whether to impose new cybersecurity regulations on companies, General Data Protection Regulation (GDPR) laws went into effect in May 2018. Already we’ve seen several data breach victims ordered to pay fines under the new rules and cookie disclosure notices are popping up on more websites than ever.
Everyone is waiting with bated breath for the first report from the Information Commissioner’s Office (ICO), to be issued after the implementation of GDPR, in order to gain an understanding of the magnitude of breach reporting.
The most recent report from the Information Commissioner’s Office (ICO) has revealed a 29% increase in the number of reported data security incidents, from 3146 between April and June 2018, to 4056 from July to September 2018. This demonstrates a 490% increase compared to the same quarter in 2017. This doesn’t necessarily mean that organisations are experiencing more incidents, but it does means that more are now being reported, as organisations try to tread carefully.
This has inevitably been fuelled by GDPR, as well as the significant data breach incidents that recognisable brands have suffered. However, this increase is also likely due to the new data breach notification requirements under GDPR, which require organisations to report incidents within 72 hours of becoming aware of them.
Drilling into the statistics, most data breach incidents are down to people, processes and inadequate policies. These frequently involve internal users making mistakes, including the incorrect disclosure of data; this accounted for 62% of all data incidents between July and September 2018.
In terms of monetary penalties, £875,000 of fines were issued under the UK’s Data Protection Act (DPA), between July and September 2018, down from £1,030,000 between April and June 2018. It should be noted that from GDPR’s enforcement on 25th May to the beginning of October 2018, fines reached £1,425,000, with organisations undoubtedly falling foul of the new regulations as they work towards achieving full compliance.
But let’s think about the bigger picture. Is GDPR working? How would we know?
For years, global policymakers have struggled to develop effective responses to cyber threats, in part because they just don’t have the data to understand what’s actually happening in cyberspace. Think about it — if you are a policymaker considering how to address unemployment, you can turn to the Office for National Statistics (ONS) – which measures labour market activity, working conditions and the impact of economic activity – in addition to comprehensive census data on personal and socio-demographic, and economic issues.
When it comes to cybersecurity, the UK Government’s National Cyber Security Centre (NCSC) has taken the leading role in significantly raising awareness of the evolving cybersecurity risks facing all UK businesses with a digital footprint, as well as the threat to the UK’s Critical National Infrastructure (CNI). This includes a comprehensive bank of guidance on a variety of topics, alongside extensive education and research papers, insights, alerts and advisories, and recommended certified cybersecurity products.
BitSight is taking a different approach to cybersecurity and risk management, enabling it to profile and identify specific threats. Thanks to its extensive data collection and processing techniques and capabilities, BitSightis able to collect, evaluate, and measure cybersecurity performance across global organisations, providing unique and valuable insight into global, regional, and sectoral performance trends across organisations of varying sizes.
When BitSight recently analysed the security performance of more than 140,000 organisations worldwide, the findings were surprising. While its research revealed a steady decrease in security performance across all worldwide regions, organisations within continental Europe actually improved their security performance over the last year. Some of the areas that organisations have improved on include the implementation of stronger controls to reduce Internet exposed services (open ports).
Security performance data may be useful to policymakers as they consider the impact of existing regulations like GDPR, but also future policies and regulations. Policymakers around the world will continue to consider implementing regulations based on GDPR that will protect citizens from poor data security management.
The industry has already seen many calls to adopt similar legislation elsewhere around the world, including Apple’s Tim Cook who, in October 2018 at the Conference of Data Protection and Privacy Commissioners in Belgium, proposed that the U.S enact a policy similar to GDPR. This summer, California passed the California Consumer Privacy Act that imposes stronger privacy regulations for companies doing business in the state, with this also being discussed across the United States.
How will policymakers judge the necessity or effectiveness of these efforts? In what sectors should they spend their time and focus? On what sized companies? What data will they use? How will they model the impact of introducing such policies?
Global policymakers must begin thinking about the essential elements that will be necessary to build a lasting legal and policy framework to address these significant cyber risks. The ONS was established over 20 years’ ago; as we look ahead to the next two decades, the transformational changes that will occur worldwide as a result of technological and connectivity developments will inevitably present a new wave of cybersecurity challenges, making quantitative cybersecurity more crucial than ever.