Companies are too slow to report data breaches, finds report
The number of days between a company discovering a data breach and disclosing it to stakeholders is decreasing but is still too high to comply with the requirements of the GDPR, a new report finds.
According to an analysis carried out by Risk Based Security, the average time it takes for a business to report a data or security breach is still 37.9 days.
The latest instalment of the firm’s “Data breach quick view report”, which covers the first quarter of 2018, did point out that this figure is down from 42.7 days in 2017, 68.9 days in 2016 and 82.6 days in 2015.
The firm’s executive vice-president Inga Goddijn says that the data makes for stark reading considering Article 33 of the GDPR, the so-called “72 hour notification” rule, which requires organisations to very quickly report on any breaches.
Goddijn adds that though it is “encouraging” that the time taken to report is gradually decreasing each year, the current numbers show that there is a lot still to be done to meet GDPR’s obligations.
The 72-hour deadline required by the regulation is not even the most stringent, with some rules facing financial services firms requiring any data breaches to be reported as quickly as an hour after the event.
Risk Based Security’s data also shows that the number of breaches reported by organisations in the same period fell to 686, compared to 1,444 problems reported in the year prior.
Goddijn says that the most likely cause of this dip is not improved security practices, but rather a changed focus for cyber criminals, who are increasingly turning to more lucrative tactics like illegal mining for cryptocurrencies.
She added: “While there is no direct data linking the rise of cryptominers to a reduction in data breach activity, there are tantalising bits of evidence that lead us to believe there is some level of relationship at play here.”