It found that businesses routinely delayed data breach disclosure and failed to provide important details to the ICO in the year prior to the GDPR’s enactment.
On average, businesses waited three weeks after discovery to report a breach to the ICO, while the worst offending organisation waited 142 days. The vast majority (91%) of reports to the ICO failed to include important information such as the impact of the breach, recovery process and dates. The FOI also revealed that hackers disproportionately targeted businesses at the weekend, while many reports would be issued to the ICO on a Thursday or Friday – possibly in an attempt to minimise potential media coverage.
Redscan analysed 182 data breach reports triaged by the ICO in the financial year ending April 2018 (relating to ‘general businesses’ as well as financial services and legal firms)*. Key findings include:
“Data breaches are now an operational reality, but detection and response continue to pose a massive challenge to businesses”, said Mark Nicholls, Redscan director of cybersecurity.
“Most companies don’t have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO. This was a problem before the GDPR and is an even bigger problem now that reporting requirements are stricter.”
Redscan’s FOI request reveals that financial services and legal firms were far better at identifying and reporting breaches than general businesses – likely due to increased regulatory awareness and the highly sensitive nature of data processed in these industries. On average, financial services firms took 37 days to identify a breach, legal firms took 25 days, while companies classified as ‘general business’ took 138 days.
Financial services (16 days) and legal firms (20 days) were also quicker to disclose breaches to the ICO than general businesses (27 days).
38/181 (21%) organisations did not report a breach incident date to the ICO, suggesting they either lacked awareness of or knowingly withheld this important information. A further 46/181 (25%) organisations also failed to report a breach discovery date.
Mark Nicholls: “The fact that so many businesses failed to provide critical details in their initial reports to the ICO says a lot about their ability to pinpoint when attacks occurred and promptly investigate the impact of compromises.
“Without the appropriate controls and procedures in place, identifying a breach can be like finding a needle in a haystack. Attacks are getting more and more sophisticated and, in many cases, companies don’t even know they’ve been hit.”
“In general, firms operating across the financial and legal sectors are among those better prepared to manage data breaches. The fact that even businesses in these high-value sectors were taking two to three weeks to divulge incidents is a key reason why the reporting rules have since been tightened.”
Mark Nicholls: “Detecting and responding to breaches is now a 24/7 effort. Many organisations lack the technology and expertise they need, which is compounded by a global cybersecurity skills shortage. Resources are stretched even further at weekends, when many IT teams are off-duty – exactly why hackers chose to target businesses out of hours.
“It’s also interesting to note that nearly half of reports to the ICO were submitted on a Thursday or a Friday, good days to bury bad news. This might be overly cynical but I suspect that in many cases, breach disclosure on these days may have a deliberate tactic to minimise negative publicity.”
Mark Nicholls: “It’s incredibly optimistic to think that businesses are better at preventing and detecting data breaches since the introduction of the GDPR. Despite the prospect of a larger penalty, many are still struggling to understand and implement the solutions they need to achieve compliance.”
