CIOs admit concerns over EU data protection reforms


A new survey has revealed an alarming lack of confidence in systems designed to protect sensitive data when shared with third parties.

In its survey of UK CIOs, Egress Software Technologies, a provider of encryption services, found that 87 per cent of those surveyed admitted to being worried that their current information security policies and procedures are not only putting their company at risk, but will also leave them exposed under the new EU General Data Protection Regulation (GDPR).

In addition, the survey also showed that over three-quarters of CIOs are getting frustrated that despite technology – such as encryption – being available to enable secure ways of working, employees just aren’t using them. Significantly, they believe this is creating even more risk for the business.

Other key findings from the survey include:

  • 87 per cent are concerned their organisation might be exposed under the new EU regulation
  • 73.5 per cent are committing to tightening up data sharing processes in response
  • Only 20 per cent are focusing on accidental breach, despite research showing it is responsible for 93% of incidents
  • 83 per cent admitted they would prioritise technologies based on perceived ease of deployment, rather than their ability to secure data
  • 77 per cent are frustrated that users choose not to use the data security tools made available to them
  • 87 per cent of these acknowledged this made their company more vulnerable


High profile breaches

Throughout 2015 high-profile organisations were repeatedly the focus of media attention following cyber-attacks on their customer data. Consequently, there are few surprises in board-level information security priorities on external vs internal threats to data protection, with 49 per cent focused on external hackers and only 20 per cent on accidental breach.

Board-level discussions on information security are also being brought into sharp focus now that the EU GDPR is looming overhead. The new legislation, due to come into force in 2018, will bring with it a mandatory notification processes of 72 hours for data breach incidents and fines of up to 4 per cent of global turnover for organisations that have put sensitive customer data at risk.

Unsurprisingly this legislation is impacting on CIOs’ priorities, with 87 per cent of respondents concerned their organisation might be exposed under the new regulation, and 73 per cent committing to tightening up data sharing processes as a result.


Reasons behind prioritisation

When examining some of the reasons behind the prioritisation of data security solutions, the research shows that 83 per cent of respondents would prioritise technologies based on perceived ease of deployment, rather than their ability to secure data. In particular, the research highlighted issues such as potential pressures on IT helpdesks, potential disruption to work processes and complex integrations mean there is little appetite to tackle the issue head on and businesses remain at risk.

Egress CEO, Tony Pepper, commented: “At a board level, these results demonstrate a concerning disconnect with reality. ICO statistics demonstrate that 93 per cent of data security breaches occurs as a result of human error – that is, people making mistakes when sharing sensitive information, poor processes and systems in place, and overall lack of care when handling data. Consequently, the emphasis being placed on cyber-attacks has the potential to become a distraction for many organisations. To date, much of the private sector has not been mandated to disclose breach incidents, but that is changing. And the results show that now they could be heading for trouble.”

Related reading