Data breach reality exposes 'head in the clouds' law-makers
A new study shows the just how out of touch the European Commission was by demanding firms report a data breach within 24 hours after revealing most firms do not realise their systems are under threat for at least a fortnight.
The original draft General Data Protection Regulation, dating back to the 2012 , has since been amended; firms will now have to report a breach "without undue delay" in the latest version, which has yet to be passed.
According to Intel Security research a quarter of UK organisations admit they took more than two weeks to realise they were under cyber attack last year, while 39% of UK tech staff admitted that a threat, once discovered, took a further two weeks to three months to remove and fix.
Technology professionals said the top three most time consuming incident detection and response tasks were determining the impact and/or scope of a security incident (50%), taking action to minimise the impact of an attack (45%), and determining which assets, if any, remain vulnerable to a similar type of attack (45%).
Intel Security EMEA chief technology officer Raj Samani said: “It’s worrying to see that companies in the UK are losing out on critical time in the initial onset of an attack, when immediate action is crucial. Hackers don’t hang around - as soon as they identify a vulnerability within a corporate network, they will be working to spread this as far as possible throughout the enterprise, wreaking havoc and compromising data along the way.”
The report, which questioned 700 executives globally, also found similar security issues in other countries. In France, 25% of those surveyed said their company took at least two weeks to discover an advanced cyber-attack, while in the US the figure rose to 35%.
Beyond a lack of necessary tools, 80% of executives in the UK believed their organisation suffered from a shortage of security skills among staff. Despite this, less than half (40%) of UK companies said they are currently recruiting for new security talent – the lowest number globally.