Many organizations find that getting their data privacy house in order is paying off.
It’s been less than a year since the General Data Protection Regulation (GDPR) officially took effect, but a new study already shows that organizations that invested in data privacy to meet GDPR guidelines suffered fewer data breaches in the past year.
Cisco Systems’ new Data Privacy Benchmark Study, based on data from 3,200 security professionals worldwide, found that nearly 60% of organizations have met most or all GDPR requirements, and close to 30% expect to do so within a year. GDPR, which became enforceable on May 28, 2018, provides a standard data privacy law for the European Union, imposing stricter rules on the control and use of personally identifiable information as well as giving users more control over their data.
The most GDPR-ready organizations suffered fewer data breaches in the last year (74%) than organizations that aren’t as far along in their data privacy efforts, according to the study. Eighty percent of organizations less than a year from GDPR compliance were hit with a data breach, and nearly 90% of those who don’t expect to be GDPR-ready for more than a year experienced data breaches.
GDPR readiness also helped minimize the number of data records exposed as well as the resulting costs: The firms that were readier had 79,000 files exposed, versus 212,000 in orgs less mature in their data privacy efforts. While 64% of the not-ready-for-GDPR firms lost more than $500,000 last year in data breach costs, just 37% of the GDPR-ready ones experienced that level of costs.
The European Union’s regulation — which affects multinational firms worldwide — has been heating up of late: France’s data privacy agency earlier this week fined Google some $57 million in penalties for failing to disclose how it gathers and uses personal information of users. This is the first major fine for a US tech company under the new privacy law.
Robert Waitman, director of data privacy at Cisco, says his firm’s study also found that data privacy investments are helping to shorten sales cycles. “The length of delay has been cut in half now, which was surprising,” he says. “It’s shrunk so significantly because they are more experienced in answering companies’ data privacy questions.”
GDPR has its trade-offs, notes Waitman, but it’s already making a difference with improved data privacy. “Reflected in the data [in this report] are these tangential benefits of getting your data house in order,” he says.
Christian Vezina, CISO at OneSpan, says GDPR has upped the ante for due diligence of third parties when it comes to data privacy.
“Privacy is starting to be an important part of standard vendor assessment processes,” Vezina says. “Service organizations having a higher level of privacy maturity will benefit from a shortened sales cycle, as they will be in a position not only to demonstrate their compliance, but to assist their customers in meeting their own compliance obligations.”
- 6 Ways to Strengthen Your GDPR Compliance Efforts
- GDPR Oddsmakers: Who, Where, When Will Enforcement Hit First
- The High Costs of GDPR Compliance
- 6 Security Investments You May Be Wasting
Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio
From DHS/US-CERT’s National Vulnerability Database
An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This af…
In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.
An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented)….
In NetKit through 0.17, rcp.c in the rcp client allows remote rsh servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side. This is similar to CVE-2018-20685.
An issue was discovered in rcp in NetKit through 0.17. For an rcp operation, the server chooses which files/directories are sent to the client. However, the rcp client only performs cursory validation of the object name returned. A malicious rsh server (or Man-in-The-Middle attacker) can overwrite a…