weerapat1003 - stock.adobe.com
UK businesses routinely delayed data breach disclosure to the Information Commissioner’s Office (ICO) in the year ahead of the full implementation of the EU’s General Data Protection Regulation (GDPR) on 25 May 2018.
This was the main finding of a freedom of information (FoI) request to the Information Commissioner’s Office about 182 data breach reports triaged by the ICO in the financial year to April 2018 by threat detection and response firm Redscan.
Analysis of the data shows that, on average, it took companies 60 days (two months) to identify they’d been a victim of a data breach, with one business taking as long as 1,320 days (44 months).
Businesses waited three weeks on average after discovery to report a breach to the ICO, while the worst offending organisation waited 142 days. The data showed that less than a quarter of businesses would be compliant with current GDPR requirements, which demand that organisations report a breach within 72 hours of discovery.
However, the data revealed that financial services and legal firms were far better at identifying and reporting breaches than general businesses, which is likely due to increased regulatory awareness and the highly sensitive nature of data processed in these industries.
On average, financial services firms took 37 days to identify a breach, legal firms took 25 days, while companies classified as “general business” took 138 days. Financial services (16 days) and legal firms (20 days) were also quicker to disclose breaches to the ICO than general businesses (27 days).
“Data breaches are now an operational reality, but detection and response continue to pose a massive challenge to businesses,” said Mark Nicholls, director of cyber security at Redscan. “Most companies don’t have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO. This was a problem before the GDPR and is an even bigger problem now reporting requirements are stricter.”
The data showed the 91% of reports to the ICO failed to include important information such as the impact of the breach, recovery process and dates. More than nine out of 10 companies (93%) did not specify the impact of the breach, or did not know the impact at the time it was reported, while 21% did not report a breach incident date to the ICO, suggesting they either lacked awareness of or knowingly withheld this important information. A further 25% also failed to report a breach discovery date.
“The fact that so many businesses failed to provide critical details in their initial reports to the ICO says a lot about their ability to pinpoint when attacks occurred and promptly investigate the impact of compromises,” said Nicholls.
“Without the appropriate controls and procedures in place, identifying a breach can be like finding a needle in a haystack. Attacks are getting more and more sophisticated and, in many cases, companies don’t even know they’ve been hit.”
“In general, firms operating across the financial and legal sectors are among those better prepared to manage data breaches. The fact that even businesses in these high-value sectors were taking two to three weeks to divulge incidents is a key reason why the reporting rules have since been tightened.”
Hackers target businesses at the weekend
The FoI data also revealed hackers disproportionately targeted businesses at the weekend, while many reports (48%) would be issued to the ICO on a Thursday or Friday. Saturday was the most common day for businesses to fall victim to a data breach, accounting for more than a quarter of incidents.
“Detecting and responding to breaches is now a 24/7 effort,” said Nicholls. “Many organisations lack the technology and expertise they need, which is compounded by a global cyber security skills shortage. Resources are stretched even further at weekends, when many IT teams are off-duty – exactly why hackers chose to target businesses out of hours.
“It’s also interesting to note that nearly half of reports to the ICO were submitted on a Thursday or a Friday, good days to bury bad news. This might be overly cynical, but I suspect that in many cases, breach disclosure on these days may have a deliberate tactic to minimise negative publicity.”
Commenting on whether the full implementation of the GDPR has had a positive effect on organisations’ ability to manage data breaches, Nicholls said it would be optimistic to think that businesses were better at preventing and detecting data breaches since the introduction of the GDPR.
“Despite the prospect of a larger penalty, many are still struggling to understand and implement the solutions they need to achieve compliance,” he said.
An ICO spokesperson said that since the full implementation of the GDPR on 25 May 2018, there have been more data breach reports because the law requires it in high risk cases.
Noting that prior to this date that only telecoms companies were required by law to report data breaches, the spokesperson said the ICO has since received more than 11,000 data breach reports.
“This is not just an administrative task. It speaks to accountability – a cornerstone of the GDPR. Only by having strong data governance will organisations be able to properly report the details of a breach to us within 72 hours.
“Data breach reporting will encourage companies to invest in better security and data governance,” the spokesperson said.