44 percent of organizations don't meet deadlines for reporting data breaches
While 75 percent of organizations set fixed time limits for investigating potential security incidents, many of them fail to meet their investigating and reporting targets.
According to a study from contextual security technology company Balabit 44 percent of respondents report missing internal or external deadlines for investigating or reporting a breach in the last year, and seven percent say a missed deadline had resulted in serious consequences.
"The Balabit survey identified that the primary reason for not being able to investigate data breaches in time is that organizations still do not understand their own data," says Péter Gyöngyösi, product manager of Blindspotter at Balabit. "It is difficult for them to extract the necessary information from unstructured data with their existing tools and they lack the contextual information that would help transform this data into valuable, actionable information".
The survey, carried out at the 2016 RSA conference in San Francisco, also shows that currently 30 percent of organizations don’t need to report security incidents to external authorities. These survey results come as organizations are under increasing pressure to prepare for new or updated compliance regulations that require data breaches to be reported within 72 hours. The EU General Data Protection Regulation, due to come into force in May 2018 (and related to that, the EU-US Privacy Shield), can lead to fines up to two percent of organizations global turnover. Likewise, a new regulation proposed by the New York Department of Financial Services also requires financial institutions to report data breaches within 72 hours, with severe penalties resulting from a failure to do so.
You can find more about the findings on the Balabit site and there's a summary in infographic format below.