News & Views
Data breach survey from Apricorn
Almost half of organizations have been reported to the ICO for a potential data breach, according to the latest data breach survey from Apricorn (www.apricorn.com), the leading manufacturer of software-free, 256-bit AES XTS hardware-encrypted USB drives.
In the survey, Apricorn found that almost half (43%) of surveyed IT decision makers said that their organization has been reported to the ICO since the General Data Protection Regulation (GDPR) came into effect. Whilst a further quarter of respondents (25%) said they had notified the ICO of a breach or potential breach within their organization, and 21% have had a breach or potential breach reported by someone else.
However, these concerns are being mitigated by an increase in encryption and endpoint control. According to Apricorn’s research, nearly all respondents (94%) say their organization has a policy that requires encryption of all data held on removable media. Of those that encrypt all data held on removable media, more than half (57%) hardware encrypt all information as standard on all removable media.
Of those with an information security strategy that covers employees’ use of their own IT equipment for mobile/remote working, 42% said they permitted only corporate IT provisioned/approved devices, and have strict security measures in place to enforce this with endpoint control, which shows a huge rise compared with 12% in 2019, highlighting a positive shift in focus towards endpoint control.
When questioned on whether they had seen an increase in the implementation of encryption in their organization since GDPR was enforced, nearly four in ten (39%) say they have noticed an increase, and that their organization now requires all data to be encrypted as standard, whether it's at rest or in transit. This is a positive step given the number of employees now working remotely as a result of the current pandemic.
“The wide variety of options for encryption deployment can be intimidating, and companies haven’t been using it effectively. Organisations are now beginning to recognise the importance of endpoint hardware encryption and the need to implement and enforce policies to protect corporate data, ensure compliance with data protection regulations, and reduce the potential for a data breach,” says Jon Fielding, Managing Director EMEA, Apricorn.
“Our research shows that while many businesses says they are currently encrypting devices, they admit that they have no further plans to expand encryption on USB sticks (38%), laptops (32%), desktops (37%), mobiles (31%) and portable hard drives (40%). This is worrying given the risks posed to corporate data being held on unencrypted devices. Businesses should allow only corporately approved, hardware encrypted devices that are whitelisted on the IT infrastructure, and block access to all non-approved media through end point control.”
When asked about the impact of a data breach on their organisation, more than a third (35%) of respondents cited that damage to the brand and reputation of the business is their main concern. This was followed by concerns over financial costs for incident response and clean-up (28%), loss of customer trust (18%) and financial costs resulting from a fine (12%).
“Focusing on how best to manage and respond to a potential breach in cooperation with data protection authorities is essential. Being able to establish a cause and remediate quickly will put businesses in good stead for breach recovery,” says Fielding.
Employees unintentionally putting data at risk remains the leading cause (33%) of a data breach, with lost or misplaced devices now the second biggest cause (24%), and third parties mishandling corporate information not far behind (23%). This correlates with the fact that despite more than a third (35%) of the survey respondents having complete visibility of which devices employees are using to access the corporate network, they are not certain that all are secure.
Fielding says, “it’s clear that GDPR is finally having some impact, but businesses need to recognize that compliance is ongoing and they should continue to enforce and update all policies. Equally, more needs to be done in terms of employee awareness and education if they want to reduce the risk of a data breach, particularly given the increase in data moving beyond the corporate network.”
Over 160,000 breach notifications have been made to data supervisory authorities in the European Economic Area (EEA) since GDPR came into play, according to a data breach survey carried out by law firm DLA Piper, up to the end of January 2020.
“The fact that so many businesses are now choosing to notify of a potential breach is positive, but likely precautionary to avoid falling foul of the requirements and any significant financial or reputational ramifications,” comments Fielding.