Redscan analyzes 182 data breach reports

Businesses are still struggling to respond to security incidents, with many failing to detect data breaches and report them in the time allocated under new data protection rules.

Redscan, a UK-based cybersecurity firm, analyzed 182 data breaches reported to the Information Commissioner’s Office (ICO) in the financial year ending April 2018 – a period when organizations were first obliged to comply with the EU’s General Data Protection Regulation (GDPR).

After obtaining the information through Freedom of Information (FOI) requests, Redscan found that companies across all sectors were having difficulty in detecting if a breach had occurred on their systems, with the average time to identify an incident of 60 days.

The longest time to detect a breach took more than three years, while 21% of companies were unable to determine when exactly a breach had happened in their submitted incident report.

“Most companies don’t have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO,” said Mark Nicholls, director of cybersecurity at Redscan.

“This was a problem before the GDPR and is an even bigger problem now that reporting requirements are stricter.”

The implementation of GDPR, which requires any data handling organization to notify a data protection authority such as the ICO of an incident occurrence within 72 hours after being identified, has, however, seen an increase in breach reporting.

In February of this year, The Daily Swig reported how more than 59,000 data breaches had been reported throughout Europe in the eight months since GDPR had been introduced, where the UK accounted for 10,600 of the reported incidents.

In spite of this increase, data highlighted by Redscan illustrates how organizations on average are taking 21 days to report an incident – the longest period they found stretched to 142 days.

“It’s incredibly optimistic to think that businesses are better at preventing and detecting data breaches since the introduction of the GDPR,” said Nicholls.

“Despite the prospect of a larger penalty, many are still struggling to understand and implement the solutions they need to achieve compliance.”

Further analysis also showed that the majority of companies were missing significant details in their submitted reports – nine out of 10 (93%) organizations were unable to specify the impact of the data breach on their systems.

Security incidents were most likely to occur on a Saturday, and organizations predominately filed their data breach reports to the ICO on either a Thursday or Friday.

“Resources are stretched even further at weekends, when many IT teams are off-duty – exactly why hackers chose to target businesses out of hours,” said Nicholls.

“It’s also interesting to note that nearly half of reports to the ICO were submitted on a Thursday or a Friday, good days to bury bad news. This might be overly cynical, but I suspect that in many cases, breach disclosure on these days may have a deliberate tactic to minimise negative publicity.”

Financial and legal organizations tended to do the best in reporting incidents in a timely and detailed fashion, Redscan said, possibly due to their longer experience of handling data of a more sensitive nature.

The results may paint a grim picture, but Jay Harris, a security researcher at Manchester-based security consultancy Digital Interruption believes that companies need to work harder at putting security into their budgets.

“Now that companies are required to notify users about data breaches, it's become more important than ever to have an incident response plan,” Harris told The Daily Swig.

“Unfortunately there is no magic bullet that will detect every incident no matter what some vendors are trying to sell, although there are some tools that can help you identify anomalies.”