Even though the General Data Protection Regulation (GDPR) is clear in saying that businesses absolutely must make public any data breach that happens, and that they need to do it within 72 hours, the majority of industrial organisations fail to comply.
This is according to Kaspersky, whose latest survey claims that two thirds (67 per cent) of these businesses don’t report cybersecurity incidents to regulators.
The report can’t state for a fact why businesses decide to omit this information from the regulators and the public, but suggests that they want to avoid being fined by regulators, and that they fear hurting their image in the public.
The respondents have said that more than half (52 per cent) of incidents lead to a violation of regulatory requirements, while 63 per cent of them say that they fear customers could lose their confidence if news of a major breach were to break.
Apart from incident reporting, the report claims that businesses are taking compliance “very seriously”. A fifth (21 per cent) admit they don’t comply with mandatory regulations – at the moment.
“Industrial compliance and regulations should not be taken lightly. But it is also very important to keep in mind the real threat landscape that is changing dynamically. An efficient cybersecurity solution in combination with clear policy should help companies achieve the necessary level of protection in accordance with regulatory requirements. Such solutions should contain technology-oriented measures, vulnerability assessment and incident response measures, as well as security awareness initiatives for all employees who work with industrial automation systems,” comments Georgy Shebuldaev, Head of Kaspersky Industrial Cybersecurity Business Development, Kaspersky.
The full Kaspersky State of Industrial Cybersecurity 2019 report can be found here.