According to a new CyberArk survey, half of organisations (50%) did not fully inform customers when their personal data was compromised in a cyber attack. With enforcement of the General Data Protection Regulation (GDPR) anticipated for May 2018, organisations that do not take action to improve transparency associated with breaches will face substantial consequences.
The findings suggested that business leaders’ views of IT security were misaligned with IT security leaders, which is putting organisations and their customers at risk.
Security concern does not translate into accountability
The report found that 46% of security respondents said their organisation can’t stop every attempt to break into their internal network, while 63% of business respondents are concerned that their organisation is susceptible to attacks, like phishing, targeting the executive team.
>See also: Uber hack affects 2.7M UK customers
Despite this high level of concern, 49% of business respondents report not having sufficient knowledge about security policies, and 52% do not understand their specific role in response to a cyber attack.
Worryingly, 33% of security professionals surveyed also claimed not to have adequate knowledge of – presumably their own – security policies.
Gaps in security best practices persist
Security practices need to be reviewed. The report found that 42% of line of business respondents said they store passwords in a document on a company PC or laptop, and 31% of security professionals surveyed still do not use a privileged account security solution to store and manage privileged and/or administrative passwords
Trust in security is at the core of commercial relationships
Similarly, 44% of business respondents said potential partners assess their organisation’s security before doing business with them: 51% of organisations provide third-party vendors remote access to their networks and, of this group, 23% failed to monitor remote vendor activity.
>See also: Is your business ready to deal with a data breach?
“Unfortunately, it’s not uncommon for organisations to want to hide the extent of damage caused by cyber attacks. As we’ve seen in data breaches at Yahoo!, Uber and more, these organisations are either intentionally hiding initial details, or the attacks were more extensive than first thought,”said David Higgins, director of Customer Development, EMEA at CyberArk.
“This sort of behaviour will have massive consequences in the coming year with enforcement of GDPR fines for lack of compliance. What’s also surprising about this survey is the persistence of rampant poor security best practices and lack of consistency across line of business and IT security leaders – despite strong awareness of risks and continued headline-generating cyber attacks.”