The survey revealed that 70 percent of companies had implemented ‘best cybersecurity practice’ guidelines, but only 46 percent of businesses is encrypting their data on removable devices. Furthermore, an overwhelming number of organisations (63 percent) still use passwords as a gatekeeper of their IT infrastructure, even though it is the least reliable method.
The ESET and Kingston research looked at over 500 British business leaders to investigate how they are protecting their companies from cyber threats in a post-GDPR world. The survey revealed that there is a significant disconnect between the IT teams that put the best practice guidelines in place; procurement teams that provide business equipment, and employees that follow the plan.
Jake Moore, a Cybersecurity specialist at ESET, said; “The Information Commissioner Office’s (ICO) role is to uphold information rights in the interest of the public. However, the ICO will still require organisations operating within the EU to rethink how they conduct their business to protect their employees’ and customers’ data. While the ICO enforced GDPR in 2018 to hold firms accountable and promote better data governance, the research shows us that almost half of the companies surveyed are failing to follow their own best practice guidelines, which is concerning. Even though the survey shows that some businesses have started to secure their removable devices, all it takes is one infected USB to bring down the whole IT network. When it comes to security, companies need to be 100 per cent secure and recognise that there is no room for error. At this stage, lack of security measures risk not only the IT networks but also the profitability of the firm which most can’t afford to jeopardise.”
Robert Allen, European Director of Marketing & Technical Services at Kingston Digital, said: “With demand for flexible work rising, businesses can no longer afford not to offer their employees easy ways to access documents on the go. USBs have proved themselves to be a popular way to move files due to their low maintenance nature. Nevertheless, this doesn’t mean that removable devices are risk-free. Like any connected devices, cybercriminals can use USBs to spread ransomware and infiltrated corporate data.
“At Kingston, we are always surprised at the low percentage of encrypted USB products that we supply compared to unprotected USBs. This does not only risk organisations’ IT systems, but it also exposes businesses to GDPR fines. It is crucial that companies start protecting removable devices with the right antivirus software and data encryption to ensure that cybercriminals can’t use them as a gateway into IT networks and corporate data.”
Meanwhile, a similar survey conducted by Cubase found that the majority of UK businesses are in breach of GDPR rules and that few have changed their corporate policies as a result of the legislation.
A year after the law came into effect on 25 May 2018, the results of CybSafe’s research of 250 business decision makers, demonstrate high levels of non-compliance. Of the IT decision makers from UK businesses surveyed by CybSafe, only 57 percent believe their organisation is compliant with GDPR. However, 56 percent of respondents admitted that their company had failed to request consent to store sensitive data. Sixteen percent said they had knowingly ignored subject access requests.
Although GDPR was supposed to usher in a sea-change in businesses’ approach to data and security, CybSafe’s research also shows that few UK businesses have changed their policies or commitment to cybersecurity because of the law.
Only 39 percent of respondents said that cybersecurity had become a high priority for their organisation's senior management because of GDPR. Meanwhile, only 37 per cent said that their business had amended its cybersecurity policies or processes because of the legislation. Just 32 percent said that cybersecurity training had become a priority in response to GDPR.
Oz Alashe, CEO and founder of CybSafe, said: “GDPR may have benefited consumers by emptying their inboxes of unwanted mail, but in terms of sparking action amongst businesses, it hasn’t been universally impactful. While things have changed for the better in some areas, a large number of organisations are still falling well short of the standards that the legislation has laid out. One whole year on from its introduction, this is disappointing, to say the least.”
The findings from CybSafe tally with the government’s own Cyber Security Breaches Survey published earlier this year, which shows that the cybersecurity needle of UK businesses hasn’t moved significantly since the introduction of GDPR. According to the government report, 33 percent of UK businesses now use written cybersecurity policies - up only marginally from 27 percent before GDPR. The report also claims that 57 per cent of UK business updates their senior management on actions taken around cybersecurity at least once a quarter - again, up only slightly from 51 percent before GDPR.
Alashe added: “It’s vital that businesses do take GDPR seriously, and not just because they fear a fine. Enforcing GDPR helps businesses protect their reputation and their precious information. The legislation is an opportunity to clean up data, to understand what data needs to be retained, and to reduce the risk of being the victim of a data scandal caused by poor privacy practices.”