Why reporting security breaches should become mandatory

Over the last six months, we have seen an increasing number of high-profile data breaches. As this continues, public awareness of the issue has grown immensely and sentiment towards companies that suffer data breaches has become negative.

To combat the rise in data breaches, the EU will be announcing a new piece of legislation later this year. This legislation will make it easier for both countries and businesses within the EU to follow one standard data protection law, instead of 28 individual ones.

Many current data protection laws, including those in the UK are out of date and need to be refreshed so this is a step forward in helping breach reporting become mandatory. This legislation has not come at a better time.

The legislation will affect all organisations that process over 5,000 pieces of EU citizen data a year. According to the EU, EU citizen data was worth an estimated €315 billion to organisations in 2011 and has the potential to grow to nearly one trillion Euros in 2020. As a result, data has never been more important.

>See also: Who is responsible for cyber security in the enterprise?

One of the key points within this new law is that if an organisation experiences a data breach, it will have to tell the appropriate body in its country within 72 hours, as well as identify that it was a breach.

This a good step forward in terms of data security. It is clear that self-regulation has not worked in the past and it will never work if it just provides assurance to auditors. But although this legislation in place is a good thing, there is still a huge issue for organisations – trust.

Part of the reason for this is the personal security aspect, with consumer tolerance for data at an all-time low. Fujitsu UK & Ireland’s recent data survey, which polled 3,000 UK consumers, revealed that there is a lack of consumer trust in organisations, with only nine per cent of consumers stating that they believed organisations were doing enough to secure their data.

In some organisations, there is a tick box mentality to security standards and in many cases security legislation itself, so is it really so surprising that high-profile organisations are breached?

This legislation shouldn’t be a barrier to the digital economy, but instead should enable it. The mind-set of organisations has now changed from “we can’t protect data” to “this is something we need to do”.

To help organisations combat this lack of trust and help businesses meet the standards set, there are things that organisations can be doing.

Firstly, businesses can do real testing in order to establish the efficacy of security systems; adopting an “it’s too expensive” approach will undoubtedly prove more costly in the end. Clearly the more real testing is done, the more costs will be driven down as it becomes commoditised. When coupled with an acceptance of breaches, offset with decent and tested recovery plans, organisations will gain the trust of their customers at the expense of those who don’t get it; it will be those companies that will thrive.

Another issue that results in unnecessary exposure to threats is data hoarding. Organisations need to follow the simple principle of only using the data that is needed, keeping it for the appropriate amount of time, and then disposing of it correctly. If large data stores are needed, organisations must make sure that they are protected and accessed according to the risk. By understanding the risk, organisations will be able to protect the data appropriately.

Lastly, the use of encryption is widely accepted and recommended. The Achilles Heel of this is very often poor implementation of a well-intended approach. But if organisations use the right expertise to help and identify those companies that can talk to them in business terms and not just security terms, organisations can be experts in their sectors.

>See also: Cyber security guide to the 10 most disruptive enterprise technologies

The security industry must learn to get closer and be more focused as breach reporting becomes mandatory. This is something that has been on the cards for a few years and should be something organisations are talking about in the boardroom.

There are huge opportunities for those who will get this right, and as a result, businesses will be able to establish real trust between their customers and their customers’ customers.

After all, those that are trusted get the business. The catalyst of this change is the value of data as well as the front page stories over the last few years which have pushed the conversation on.

Sourced from David Robinson, CSO, Fujitsu UK and Ireland

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Data Breach