According to a new CyberArk survey, half of organisations (50 percent) did not fully inform customers when their personal data was compromised in a cyber attack. With enforcement of the General Data Protection Regulation (GDPR) anticipated for May 2018, organisations that do not take action to improve transparency associated with breaches will face substantial consequences.
The findings are included in the second installment of the CyberArk Global Advanced Threat Landscape Report 2018. This report, “The Business View of Security: Examining the Alignment Gap and Dangerous Disconnects,” reviews business leaders’ views of IT security and misalignment with IT security leaders that can put organisations, and their customers, at risk.
Additional key findings include:
- Security concern does not translate into accountability
- 46 percent of security respondents say their organisation can’t stop every attempt to break into their internal network
- 63 percent of business respondents are concerned that their organisation is susceptible to attacks, like phishing, targeting the executive team
- Despite this high level of concern, 49 percent of business respondents report not having sufficient knowledge about security policies, and 52 percent do not understand their specific role in response to a cyber attack
- Worryingly, 33 percent of security professionals surveyed also claimed not to have adequate knowledge of – presumably their own – security policies
- Gaps in security best practices persist
- 42 percent of line of business respondents say they store passwords in a document on a company PC or laptop
- 21 percent of line of business respondents still record credentials in paper notebooks or store them in filing cabinets
- 31 percent of security professionals surveyed still do not use a privileged account security solution to store and manage privileged and/or administrative passwords
- Trust in security is at the core of commercial relationships
- Similarly, 44 percent of business respondents say potential partners assess their organisation’s security before doing business with them
- 51 percent of organisations provide third-party vendors remote access to their networks and, of this group, 23 percent fail to monitor remote vendor activity
“Unfortunately, it’s not uncommon for organisations to want to hide the extent of damage caused by cyber attacks. As we’ve seen in data breaches at Yahoo!, Uber and more, these organisations are either intentionally hiding initial details, or the attacks were more extensive than first thought,” said David Higgins, Director of Customer Development, EMEA at CyberArk. “This sort of behaviour will have massive consequences in the coming year with enforcement of GDPR fines for lack of compliance. What’s also surprising about this survey is the persistence of rampant poor security best practices and lack of consistency across line of business and IT security leaders – despite strong awareness of risks and continued headline-generating cyber attacks.”
The 11th Annual CyberArk Global Advanced Threat Landscape Report 2018 will be released in three parts. The first installment was a “Focus on DevOps.” These findings are from part two, focusing on business leaders’ view of IT security. The survey was conducted by Vanson Bourne in autumn 2017 amongst more than 1,300 IT security decision-makers, DevOps and app developer professionals and line of business owners, across seven countries worldwide.