Many global business decision makers are unaware of the implications of the forthcoming General Data Protection Regulation (GDPR), as well as other compliance regulations like PCI-DSS and ISO27001/2, with one in five admitting they do not know which regulations their organisation is subject to. This is according to the 2017 Risk:Value report, commissioned by NTT Security, the specialised security company of NTT Group, which looks at attitudes to risk and the value of information security to the business.
The survey of 1,350 non-IT executives across 11 countries, reveals that just four in ten (40 per cent) respondents globally believe their organisation will be subject to the EU GDPR. Perhaps of most concern is the one in five (19 per cent) who admit they don’t know which compliance regulations they are subject to. In the UK, just 39 per cent of respondents currently identify GDPR as a compliance issue, and 20 per cent admit they don’t know, while those outside of Europe are even less aware.
Just a quarter of business decision makers in the US, 26 per cent in Australia, and 29 per cent in Hong Kong believe they are subject to the GDPR, despite the fact it will apply to any business holding or collecting data on European citizens.
Coming into force on 25 May 2018, the legislation leaves companies with less than a year to comply with strict new regulations around data privacy and security and could result in penalties of up to €20 million or 4 per cent of global annual turnover, whichever is higher
With data management and storage a key component of the GDPR, the Risk:Value report also reveals that a third of respondents do not know where their organisation’s data is stored, while just 47 per cent say all of their critical data is securely stored.
Of those that know where their data is, fewer than half (45 per cent) describe themselves as ‘definitely aware’ of how new regulations will affect their organisation’s data storage. Those in financial services and banking and computer services and technology are most likely to know where their data is stored and which compliance regulations they are subject to.
‘In an uncertain world, there is one thing organisations can be sure of and that’s the need to mark the date of 25 May 2018 in their calendars,’ according to Garry Sidaway, senior vice president of security strategy and alliances at NTT Security.
‘While the GDPR is a European data protection initiative, the impact will be felt right across the world for anyone who collects or retains personally identifiable data from any individual in Europe. Our report clearly indicates that a significant number do not yet have it on their radar or are ignoring it. Unfortunately many organisations see compliance as a costly exercise that delivers little or no value, however, without it, they could find themselves losing business as a result, or paying large regulatory fines.’
Quantifying the threat – reputation, revenue and resignations
One in eight respondents believe that poor information security is the ‘single greatest risk’ to the business. The most commonly reported risk is ‘competitors taking market share’ (28 per cent).
According to Risk:Value, 57 per cent of decision makers believe a data breach is inevitable at some point.
The impact of a breach will be two-fold, with respondents expecting a breach to affect their long-term ability to do business, together with short-term financial losses. More than half (55 per cent) cite loss of customer confidence, damage to reputation (51 per cent) and financial loss (43 per cent), while 13 per cent admit staff losses and nine per cent say senior executive resignations would impact them.
The estimated cost of recovery, on average, has increased from $907,000 in 2015 to $1.35m in 2017.
The estimated impact on revenue has decreased from 12.51 per cent in 2015, but is still a significant 9.95 per cent.
Only just more than half (56 per cent) of decision makers report that preventing a security attack is a regular item on the board agenda, suggesting that more needs to be done to get it taken seriously at a boardroom level.
Respondents estimate on average that only 15 per cent of their organisation’s IT budget is spent on information security – although this figure has gone up from 13 per cent in 2015 and ten per cent in 2014. Many report that they spend less on security than on R&D (31 per cent), sales (28 per cent), and marketing (27 per cent).
The need to drive a culture of security
Half (56 per cent) of business decision makers say their organisation has a formal information security policy in place, up from 52 per cent in 2015. More than a quarter (27 per cent) are in the process of implementing one – one per cent have no policy or plans to implement one.
However, while the vast majority (79 per cent) say their security policy has been actively communicated internally, a minority (39 per cent) says employees are fully aware of it. Germany and Austria (85 per cent) are above average in communicating the policy, together with the US (84 per cent) and the UK (83 per cent).
The percentage of respondents with an official information policy is unevenly distributed on a per-country basis. In Sweden the figure is just 30 per cent, while in the UK, 72 per cent claim an official policy. By sector, healthcare leads the way, with 69 per cent of companies claiming an official information security policy. Finance comes a close second (66 per cent).
Less than half (48 per cent) of organisations have an incident response plan, although 31 per cent are implementing one. But just 47 per cent of decision maker respondents are fully aware of what the incident response plan includes.