lazyllama - Fotolia

Cyber security industry believes GDPR is stifling innovation

Cyber security industry believes the EU’s General Data Protection Regulation is hindering innovation and could encourage organisations to cover up security breaches, a poll has revealed

In a poll of Infosecurity Europe 2017 attendees, almost half said the EU General Data Protection Regulation (GDPR) is stifling innovation by making companies nervous about cloud services.

This could be due to the lack of expertise, with more than a quarter of respondents describing their organisations’ level of cloud security expertise as either “novice” or “not very competent”, according to the survey report.

Over a quarter of more than 900 security professionals surveyed by security firm AlienVault admitted to cutting corners with cloud security in order to reduce costs, such as sharing credentials to access cloud-based apps and services within their organisations.

Also, 48% either do not have, or are not sure if they have, data processing agreements set up with new cloud providers. This is an essential part of GDPR compliance, and ensures that any cloud apps are adhering to data privacy protection requirements when processing customer data.

Javvad Malik, security advocate at AlienVault, said cloud security is clearly still a thorn in the side of some organisations, with IT teams still struggling to monitor their environments for security threats effectively.

“In a separate AlienVault survey, we found that around a fifth of IT professionals don’t know how many cloud applications are being used within their organisations,” said Malik. “This lack of visibility raises the question of how cloud-consuming organisations are going to cope with the requirements of GDPR if they don’t even know which apps are being used.”

The survey also revealed that half of respondents believe the GDPR could lead to security breach cover-ups because of the requirement for organisations to report a data breach within 72 hours, which may tempt companies to cover up breaches to avoid a fine for late notification.

Read more about the GDPR

One reason for this could be that 43% of respondents do not think their organisation could, or are not sure if they could, identify and report a data breach within 72 hours.

“Organisations with small and over-stretched security teams, and limited budgets for cyber security, are likely to be extremely worried about the threat of GDPR fines,” said Malik.

“After all, the potential of having to pay up to 4% of global turnover could have a serious effect on a fledgling business, potentially impacting earnings or funding opportunities. They could also lose customers through reputational damage and even have to consider making redundancies.

“Set against this backdrop, it is easy to see why some might consider trying to cover up a data breach, rather than deal with the consequences. But this could lead to far greater problems for them in the long term.”

It is now widely accepted that the UK will still have to comply with GDPR and other EU legislation for the forseeable future, despite Brexit. However, more than a quarter of survey respondents (26%) still believe the corporate and customer data held by their organisation will be less secure when the UK leaves the EU.

Read more about encryption

Also, 54% of respondents said they thought a change of leadership at Downing Street could have made the country more cyber secure, because of a change in policy towards encryption and the sharing of cyber threat intelligence. 

When asked about encryption, 38% said their organisation would refuse to put a backdoor in their customer data if asked to do so by the government.

“Prime minister Theresa May has been waging a long battle against encryption, stating that end-to-end encryption is ‘completely unacceptable’ and is providing a safe haven for terrorists,” said Malik.

“While no one wants to actively support terrorism, the information security community is clearly concerned that the weakening of encryption and introduction of backdoors could also introduce significant risks.”

Malik believes there will be trouble ahead for the government if it continues with its current approach. “However, one way to resolve this might be for the government to detail its requirements to technology companies, and allow them to suggest methods of achieving these goals, rather than dictating methods that are viewed as either insecure or not feasible,” he said.

Read more on Privacy and data protection