[BreachExchange] UK Government praises GDPR as cyber security breaches fall, as top lawyer issues warning

Fri Apr 12 09:19:09 EDT 2019

https://www.information-age.com/cyber-security-breaches-fall-123481460/

They are down, but this isn’t a reason to celebrate: cyber security
breaches are getting more complicated. According to new statistics
from the Department for Digital, Culture, Media and Sport, 32% of
businesses identified a cyber security breach or attack in the last 12
months – down from 43% the previous year.

That may seem like a reason to celebrate, but then the data also
reveals that among organisations that were attacked, the median number
of cyber security breaches has risen from four to six.

It seems cyber security breaches and attacks are getting more concentrated.

The cost has gone up too, the average cost of a cyber attack on a
business has gone up by more than £1,000 since 2018 to £4,180.

So it seems the headline figures about fewer organisations falling
victim to attacks hides behind a thin veneer.

The government says that GDPR is one of the reasons for the fall.

“The reduction is partly due to the introduction of tough new data
laws under the Data Protection Act and the General Data Protection
Regulations (GDPR). 30% of businesses and 36% of charities have made
changes to their cyber security policies and processes as a result of
GDPR coming into force in May 2018.”

Maybe that is right, but the stats also show that 48% of businesses
and 39% of charities who were breached or attacked, identified at
least one breach or attack every month.

Information Age would like to suggest the problem is that
cybercriminals are getting more sophisticated and that maybe they are
only attacking organisations after carrying out extensive research
into their victims first — so from their point of view, attacking
fewer organisations, meaning few organisations falling victim to
cybersecurity breaches makes sense.

Mark Deem, who heads the cyber team at legal practice Cooley said that
“businesses are still failing to detect both threat actors and how
their networks have been compromised in a first attack; whereas a
victim will generally be able to identify subsequent attacks with
greater ease.”

He also suggested that GDPR could partly explain why cybersecurity
breaches are getting more expensive. “The introduction of mandated
notification and increased penalties under GDPR are likely to further
drive up the potential financial costs of all data incidents in the
future too – whether as a result of an incident becoming notifiable as
a breach or the additional investigative work that might be required
in order to satisfy the business that notification is not required,”
he said.

Too soon to say

Mark Deem also argued that it may be “too soon to determine whether
recent legal and regulatory changes have driven the much-needed
behavioural and cultural shift of businesses towards robust
information security, or whether this trend is likely to be
short-lived.

“Genuine cyber-resilience comes from corporate muscle-memory, which is
developed from incident response planning with legal, communications
and IT security stakeholders, and which is sustained by testing and
updating processes on a regular basis.”

Digital Minister Margot James said: “With less than three in ten of
those companies having trained staff to deal with cyber threats,
there’s still a long way to go to make sure that organisations are
better protected.

“We know that tackling cyber threats is not always at the top of
business and charities list of things to do, but with the rising costs
of attacks, it’s not something organisations can choose to ignore any
longer.