Companies Struggling to Meet GDPR Security Standards

by CXOtoday News Desk    Jun 02, 2017


Global organizations are struggling with their digital security strategy, according to various research reports. With one year remaining until the commencement of EU General Data Protection Regulation (GDPR), a new research by RiskIQ reveals that more than one-third of all public web pages of FTSE 30 companies capturing personally identifiable information (PII) are in danger of violating the regulation by doing so insecurely.

This serve as a wake-up call for organizations with GDPR coming into force on May 25, 2018 but even big budget companies in the UK are still at risk of missing the mark. It is also a lesson for organizations worldwide to take a much closer look at their digital security.

GDPR compliance violation

When assessing the public websites of FTSE 30 organizations, from across verticals such as banking, retail, IT and FMCG, RiskIQ reveals that 34% of pages that collect PII are doing so insecurely, 29% are not using encryption, 3.5% are using very old, vulnerable encryption algorithms and 1.5% have expired certificates. 

The research found that more controls on external facing web assets, known as an organization’s digital footprint, are needed in order to support requirements ahead of the fast-approaching GDPR deadline. Most data capture forms found on websites fall within the scope of GDPR as they collect personal data. The regulation emphasizes that provisions should be in place to ensure that PII is securely captured and processed. In the UK, the Information Commissioner has provided guidance that, in the case of data loss where encryption software has not been used to protect the data, regulatory action may be pursued.

Insecure collection of PII is not just a GDPR compliance violation. The loss of personal data, profit, and reputation resulting from the use of insecure forms is a legitimate concern for consumers, as well as shareholders. In addition to personal claim liability, Article 83 provides guidance on fines for GDPR faults, which start at the greater of €10m or 2% of global annual turnover for the preceding financial year - or even double depending on the infraction. This applies to all companies actively engaging with European citizens, regardless of whether they have a physical presence in Europe.

As Bob Tarzey, analyst and director, Quocirca Ltd., said, “While this RiskIQ research is focused on large UK companies, the findings will be representative of all organizations. Many will already have the data security basics in place to comply with the regulations that precede GDPR. However, GDPR has many additional requirements, especially around the way data is captured and processed. These include obtaining explicit opt-in from data subjects. Before an organization can address GDPR, it needs to fully understand the extent of its online data gathering activities. With enforcement of GDPR less than a year away, the time to act is now.”

Another survey from WinMagic that asked IT leaders in the U.S, UK, Germany and France about their current data policies to see how well aligned they are with the EU GDPR, suggests, many still have a great deal of preparatory work to undertake, to avoid substantial non-compliance fines in the future.

In terms of protecting EU citizens from data breaches, the survey found that companies do not currently have the processes or technology in place to adequately meet EU GDPR requirements around data breaches, with less than half (46%) are completely confident that they could precisely identify the data that had been exposed in a breach.

“Companies have some way to go over the next 12 months if they are to ensure compliance, and must focus on some security fundamentals such as implementing encryption and data lifecycle protection technology,” said Mark Hickman, COO at WinMagic.

According to him, compliance is not just a matter of avoiding fines; consumers care deeply about the abuse and loss of their data.  The reputational damage from non-compliance can far outweigh the global revenue fine that a company could receive. 

 The India lessons

While globally there is a hue and cry on increasing digital security footprints and these research reports serve as an eye-opener, it needs to be mentioned that India is also at a high risk of being exposed to cyber attacks and the various breaches that took place in the last 1-2 years are evidences that the country needs to tighten its digital security belts. India also ranked fourth globally among the countries most affected by ransomware, according to a latest report.  

In 2017’s Union Budget, finance minister, Arun Jaitley, announced plans by the Indian government to enhance India’s digital footprint and also announced the government’s mission to achieve a target of 2,500 crore digital transactions for 2017-18 through UPI, USSD, Aadhar Pay, IMPS and debit cards. Hence, the challenge for large organizations is the sheer volume and complexity of websites and web applications that need to be accounted for, not only for security purposes but also for regulatory compliance.

The various regulations imposed by the RBI and the government [including the initiatives of the Ministry of Electronics and Information Technology and CERT-In] may definitely bring in more transparency in the system, but will it be enough to curb the increasing number of incidence, such as cyber warfare, intellectual property crimes, ransomware among others. 

In other words, as reports dia needs is a cyber security vision inline with its Digital India mission. And maybe, then a time will come when we will remember, not the breach, but how it was tackled.