The cybersecurity industry believes that the European General Data Protection Regulation (GDPR) is stifling innovation according to the latest survey carried out by AlienVault, a leading crowdsourced threat intelligence provider.
In a recent survey of over 900 conference participants at Infosecurity Europe, almost half (49%) of respondents said that the threat of GDPR fines is making them more nervous of using cloud-based apps and services. This could be due to the lack of cloud security expertise that participants described within their organisations. Over a quarter of them (28%) described the level of cloud security expertise in their organisations as either ‘novice’ or ‘not very competent’.
Over a quarter of those surveyed (27%) admitted to cutting corners with cloud security in order to reduce costs, such as sharing credentials to access cloud-based apps and services within their organisations. In addition, almost half (48%) either don’t have, or aren’t sure if they have, data processing agreements set up with new cloud providers. This is an essential part of GDPR compliance, and ensures that any cloud apps are adhering to data privacy protection requirements when processing customer data.
Javvad Malik, security advocate at AlienVault, explains: “Cloud security is clearly still a thorn in the side for some organisations, with IT teams still struggling to monitor their environments effectively for security threats. In a separate AlienVault survey, we found that around a fifth of IT professionals don’t know how many cloud applications are being used within their organisations. This lack of visibility raises the question of how cloud-consuming organisations are going to cope with the requirements of GDPR if they don’t even know which apps are being used.”
In relation to Article 33 of the GDPR legislation, which states organisations must report a data breach within 72 hours, Half of respondents (50%) believe that the 72 hour rule could do more harm than good. For example, people might try to cover up data breaches to avoid the fine, rather than reporting them in a less timely manner. One reason for this could be because a significant proportion (43%) of survey participants don’t think their organisation could, or aren’t sure if they could, identify and report a data breach within 72 hours.
Javvad Malik explains: “Organisations with small and overstretched security teams, and limited budgets for cybersecurity, are likely to be extremely worried about the threat of GDPR fines. After all, the potential of having to pay up to 4% of global turnover could have a serious effect on a fledgling business potentially impacting earnings or funding opportunities. They could also lose customers through reputational damage and even have to consider making redundancies. Set against this backdrop, it’s easy to see why some might consider trying to cover up a data breach, rather than deal with the consequences. But this could lead to far greater problems for them in the long term.”