GDPR is stifling innovation and could encourage security breach cover ups

The cybersecurity industry believes that the European General Data Protection Regulation (GDPR) is stifling innovation by making companies nervous about using cloud-based applications and services, according to new research published today by AlienVault, the leading provider of Unified Security Management and crowdsourced threat intelligence.

In a recent survey of over 900 conference participants at Infosecurity Europe, almost half (49%) of respondents said that the threat of GDPR fines is making them more nervous of using cloud-based apps and services. This could be due to the lack of cloud security expertise that participants described within their organisations. Over a quarter of them (28%) described the level of cloud security expertise in their organisations as either ‘novice’ or ‘not very competent’.

Over a quarter of those surveyed (27%) admitted to cutting corners with cloud security in order to reduce costs, such as sharing credentials to access cloud-based apps and services within their organisations. In addition, almost half (48%) either don’t have, or aren’t sure if they have, data processing agreements set up with new cloud providers. This is an essential part of GDPR compliance, and ensures that any cloud apps are adhering to data privacy protection requirements when processing customer data.

Javvad Malik, security advocate at AlienVault, explains: “Cloud security is clearly still a thorn in the side for some organisations, with IT teams still struggling to monitor their environments effectively for security threats. In a separate AlienVault survey, we found that around a fifth of IT professionals don’t know how many cloud applications are being used within their organisations. This lack of visibility raises the question of how cloud-consuming organisations are going to cope with the requirements of GDPR if they don’t even know which apps are being used.”

The 72 hour rule: more harm than good?

Article 33 of the GDPR legislation states that an organisation must report a data breach within 72 hours. The national data protection authority will then decide how much to fine the organisation for the breach; this could be up to 4% of the organisation’s global annual turnover, or over 20 million Euro, whichever is greater.

Half of respondents (50%) in the AlienVault survey believe that the 72 hour rule could do more harm than good. For example, people might try to cover up data breaches to avoid the fine, rather than reporting them in a less timely manner. One reason for this could be because a significant proportion (43%) of survey participants don’t think their organisation could, or aren’t sure if they could, identify and report a data breach within 72 hours.

“Organisations with small and overstretched security teams, and limited budgets for cybersecurity, are likely to be extremely worried about the threat of GDPR fines,” adds Malik. “After all, the potential of having to pay up to 4% of global turnover could have a serious effect on a fledgling business potentially impacting earnings or funding opportunities. They could also lose customers through reputational damage and even have to consider making redundancies. Set against this backdrop, it’s easy to see why some might consider trying to cover up a data breach, rather than deal with the consequences. But this could lead to far greater problems for them in the long term.”