Study shows nearly one-third
of security pros have found
GDPR ineffective
ne Identity, a leader in
helping organisations get
identity and access
management (IAM) right, has
announced the results of a survey of
over 300 security professionals.
O
The results indicated that while
the majority of organisations store
sensitive data such as emails, salary
and compensation details, intellectual
property and customer data in the cloud
(76%), they still struggle with detecting a
breach, with two-thirds confessing that
it would take an hour or longer to spot a
hijacked account, if at all.
Worryingly, the real time detection of
malicious actors within the system
is difficult for more than a quarter of
organisations (26%), which together with
spotting an insider attack (24%) were
recognised as the most challenging
aspects of dealing with a cyberattack.
“Nearly all breaches involve a
malicious actor escalating privileges
or with an insider abusing their
access permissions. I was surprised
to find out that – knowing where
an attack will likely come from – so
many respondents admitted to being
unprepared,” said Todd Peterson, IAM
evangelist at One Identity.
This poses a concern especially in light
of the European General Data Protection
Regulation (GDPR), which is now over
a year old and stipulates that data
breaches must be reported within 72
hours of the breach discovery.
However, the time to discovery is more
likely to be months – according to the
latest Data Breach Investigation Report
created by Verizon. The study also
found that GDPR is a very divisive topic
among security professionals, indicating
that nearly a third of respondents (30%)
think that GDPR regulations were either
ineffective or that data breaches seemed
to have gotten worse.
Shedding some light on the findings,
Peterson said: “GDPR was never meant
to protect the data against hacks and
the feeling that data breaches have
increased since its introduction is
probably due to the fact that many data
leaks that would otherwise go unnoticed
now need to be reported to the relevant
regulatory bodies.
“What GDPR did do, however, was make
people more conscious about data and
privacy, and made companies think
about the importance of knowing who
can – and tracking who does – access
databases of sensitive information. This
study proves that there is still work to
be done on educating the industry,
particularly around equating compliance
to security.” u
www.intelligentciso.com
|
Issue 18
57