Trend Micro Research Reveals C-level Executives Are Not Prepared for GDPR Implementation

SYDNEY, September 6, 2017 – With the General Data Protection Regulation (GDPR) taking effect May 25, 2018, businesses around the globe should be preparing accordingly. However, through a recent survey, Trend Micro, a global leader in cybersecurity solutions, found that C-suite executives are not approaching the regulation with the seriousness required, resulting in overconfidence when it comes to compliance.

The company’s research reveals a robust awareness of the principles behind GDPR, with a strong 95 per cent of business leaders knowing they need to comply with the regulation, and 85 per cent having reviewed its requirements. In addition, 79 per cent of businesses are confident that their data is as secure as it can possibly be.

Despite this perceived awareness, there is some confusion as to exactly what Personally Identifiable Information (PII) needs to be protected. Of those surveyed, 64 per cent were unaware that a customer’s date of birth constitutes as PII. Additionally, 42 per cent wouldn’t classify email marketing databases as PII, 32 per cent don’t consider physical addresses and 21 per cent don’t see a customer’s email address as PII, either. These results indicate that businesses are not as prepared or secure, as they believe themselves to be. Regardless, this data provides hackers with all they need to commit identity theft, and any business not properly protecting this information is at risk of a penalty fine.

The global findings are aligned to a survey conducted at Trend Micro’s CLOUDSEC conference in Sydney in August. Although more than half (56 per cent) agree that they will be impacted by the mandatory data breach notification scheme set to be in place from early 2018, and they either already have a process in place, or are working on a formal process. Surprisingly, as many as 16 per cent don’t believe they will be impacted by the scheme, and more than a quarter (28 per cent) admit they only have an informal process in place, or no process at all for risk management and cloud security within their organisation.

Indi Siriniwasa, Managing Director - Enterprise & Government, Trend Micro ANZ, said that it is concerning that so many Australian organisations are not prepared for the new legislation, or are of the belief that they won’t be affected. “It has never been more important for organisations to make cybersecurity a key priority, and protect the interests of their customers against cybersecurity attacks. Not only is this a security and prevention issue, but it can also have a disastrous impact on both brand and reputation” said Siriniwasa.

According to the global survey, a staggering 66 per cent of respondents appear to be dismissive of the amount they could be fined without the required security protections in place. Only 33 per cent recognise that up to four per cent of their annual turnover could be sacrificed. Additionally, 66 per cent of businesses believe reputation and brand equity damage is the biggest pitfall in the event of a breach, with 46 per cent of respondents claiming this would have the largest affect amongst existing customers. These attitudes are especially alarming considering businesses could be shut down in the event of a breach.

Trend Micro also learned that businesses are uncertain as to who is held accountable for the loss of EU data by a U.S. service provider. Only 14 per cent could correctly identify that the loss of data is the responsibility of both parties – 51 per cent believing the fine goes to the EU data owner, while 24 per cent think the US service provider is at fault.

In addition, it turns out businesses aren’t sure who should take ownership of ensuring compliance with the regulation, either. Of those surveyed, 31 per cent believe the CEO is responsible for leading GDPR compliance, whereas 27 per cent think the CISO and their security team should take the lead. However, only 21 per cent of those businesses actually have a senior executive involved in the GDPR process. Meanwhile, 65 per cent have the IT department taking the lead, while only 22 per cent have a board level or management member involved.

“Increasingly, cybersecurity is being addressed by executives at board level which has been triggered mainly by the widespread awareness around the financial and reputational threat that outbreaks such as WannaCry and Petya have had on organisations around the world. It’s important for key decision makers including board executives to take shared responsibility to drive much needed industry change,” added Siriniwasa.