GDPR is stifling innovation

 

In a recent survey of over 900 conference participants at Infosecurity Europe, almost half (49%) of respondents said that the threat of GDPR fines is making them more nervous of using cloud-based apps and services. This could be due to the lack of cloud security expertise that participants described within their organisations. Over a quarter of them (28%) described the level of cloud security expertise in their organisations as either ‘novice’ or ‘not very competent’. 

 

Over a quarter of those surveyed (27%) admitted to cutting corners with cloud security in order to reduce costs, such as sharing credentials to access cloud-based apps and services within their organisations. In addition, almost half (48%) either don’t have, or aren’t sure if they have, data processing agreements set up with new cloud providers. This is an essential part of GDPR compliance, and ensures that any cloud apps are adhering to data privacy protection requirements when processing customer data.

 

Javvad Malik, security advocate at AlienVault, explains: “Cloud security is clearly still a thorn in the side for some organisations, with IT teams still struggling to monitor their environments effectively for security threats. In a separate AlienVault survey, we found that around a fifth of IT professionals don’t know how many cloud applications are being used within their organisations. This lack of visibility raises the question of how cloud-consuming organisations are going to cope with the requirements of GDPR if they don’t even know which apps are being used.”

 

 

Article 33 of the GDPR legislation states that an organisation must report a data breach within 72 hours. The national data protection authority will then decide how much to fine the organisation for the breach; this could be up to 4% of the organisation’s global annual turnover, or over 20 million Euro, whichever is greater.

 

Half of respondents (50%) in the AlienVault survey believe that the 72 hour rule could do more harm than good. For example, people might try to cover up data breaches to avoid the fine, rather than reporting them in a less timely manner. One reason for this could be because a significant proportion (43%) of survey participants don’t think their organisation could, or aren’t sure if they could, identify and report a data breach within 72 hours.

 

Javvad Malik explains: “Organisations with small and overstretched security teams, and limited budgets for cybersecurity, are likely to be extremely worried about the threat of GDPR fines. After all, the potential of having to pay up to 4% of global turnover could have a serious effect on a fledgling business potentially impacting earnings or funding opportunities. They could also lose customers through reputational damage and even have to consider making redundancies. Set against this backdrop, it’s easy to see why some might consider trying to cover up a data breach, rather than deal with the consequences. But this could lead to far greater problems for them in the long term.”

 

 

It is now widely accepted that the UK will still have to comply with GDPR and other EU legislation for the forseeable future, despite the UK’s decision to leave the EU. However, over a quarter of survey respondents (26%) still believe that the corporate and customer data their organisation holds will be less secure when Britain leaves the EU.

 

In addition, the majority of security professionals questioned during the poll (54%) said that they thought a change of leadership at No. 10 Downing Street could have made the country more cyber secure, due to a change in policy towards encryption and the sharing of cyber threat intelligence. 

 

When it comes to encryption, over a third of respondents (38%) said that their organization would refuse to put a backdoor in their customer data if asked to do so by the government. In fact, many respondents were extremely scathing about the government’s policies towards encryption, leaving comments including: “The laws and things the Tory government talk about introducing show that they don’t understand the Internet”, and “Theresa May has literally no knowledge of the tech/security industry, and is using the standard rhetoric in order to scare the electorate into voting.”

 

Javvad Malik continues: “British PM Theresa May has been waging a long battle against encryption, stating that end-to-end encryption is ‘completely unacceptable’ and is providing a safe haven for terrorists. While no one wants to actively support terrorism, the InfoSec Community is clearly concerned that the weakening of encryption and introduction of backdoors could also introduce significant risks. It seems likely that trouble will lie ahead for the government if it continues with its current approach. However, one way to resolve this might be for the government to detail its requirements to technology companies, and allow them to suggest methods of achieving these goals, rather than dictating methods that are viewed as either insecure or not feasible.”