Less than one in four security pros believe GDPR will protect user data
Security professionals in Europe are doubting whether user privacy will ever be fully achieved, in spite of mandatory data protection now required under the recently enforced General Data Protection Regulation (GDPR).
The growing skepticism toward the legislation, enacted in May of this year, was cast in new research published by the organizers of Black Hat Europe ahead of its annual meeting of infosec pros in December.
Similar to the 2018 Black Hat USA Attendee Survey, this latest report solicited answers from 132 experts from across Europe, gauging the current challenges facing those working within the sector to keep both critical infrastructure and users secure.
With that in mind, nearly two-thirds (65%) of those interviewed cited the likelihood of a successful nation-state sponsored cyber-attack hitting a major European network over the next two years, putting sophisticated and targeted attacks as the number one concern for more than half of respondents.
Running parallel to the feeling stateside, insider threats were perceived as the weakest link in the defenses of 42% of European security workers, mostly due to end users falling for phishing scams and social engineering exploits too easily.
This shaky outlook reflects the need for organizations to maintain a rigorous digital hygiene, which 70% of individuals surveyed believed to have seen in their places of work in light of GDPR.
Despite the dedicated resources to improving security protocol, however, just over a third of respondents were confident that their organization was GDPR compliant, and fewer than one in four believe that the EU legislation will actually assist in protecting user data.
“While GDPR has brought attention to the need to tighten up security by implementing specific regulations, there are still doubts around whether those regulations will truly be effective,” said Steve Wylie, general manager of Black Hat.
Wylie told The Daily Swig that those attending the security event are typically skeptical towards any legislation seeking to strengthen cybersecurity defenses amid heightened data protection.
“They know that the attacker is very savvy and that many systems and applications are vulnerable,” he said, adding that European respondents were still more devoted to improving user privacy compared with their American counterparts, even though US companies operating in Europe are still held accountable to GDPR.
“The USA report touched on social media, the concern certainly stemmed from recent issues with Facebook, while the Europe report casts a wider net and focuses not only on social media companies but wider businesses’ use of personal data,” Wylie said.
The prevalence of open information online appeared to strike the strongest chord with European security professionals, with almost 60% citing the collection and sale of personal data by social media platforms as a bigger threat to user privacy than any insider mistake.
This prompted more than 40% to say that they planned to minimize their social media usage and would advise their organizations to do the same, highlighting how digital education was still needed in order to close the gap in cybersecurity defenses and protect against the likes of spear-phishing campaigns.
“Some of the responses indicate that upper management still is not very well informed about cybersecurity in some organizations,” said Wylie. “Without greater management support and awareness, it is difficult for security teams to get the resources they need.”
A fifth of security professionals think the skills shortage is contributing to the lack of awareness within their organizations, while less than half said they didn’t believe their organizations had the budget to keep up with today’s threats.
Wylie added: “Just under half of those surveyed still don’t have enough security budget to defend against today’s threats – the same number of respondents also don’t think they have enough staff to do so.”
Black Hat Europe takes place in London on December 3-6.