The General Data Privacy Regulation (GDPR) seems to already be having a positive effect on the state of cybersecurity in Europe less than seven months after it was enacted, showing that policy indeed can have a direct effect on organizations’ security practices, security researchers said.
European companies are performing better across the board since the run-up to the GDPR’s enactment in May and in the months following its enforcement, which already has seen a number of companies slapped with fines for failing to comply with the law, according to a blog post from Jake Olcott, vice president at BitSight Technologies.
BitSight is a security rating and risk-management firm that gives organizations scores on their security practices similarly to how companies like Equifax give individuals credit ratings–by independently aggregating and analyzing relevant data. Researchers at the company
The GDPR requires European companies to notify the authorities within 72 hours of confirming a data breach–an action that also will likely make the breach public and should have the trickle effect of also informing individuals affected. If companies are found not to have complied with the law, they face stiff financial penalties that could–for some larger organizations–amount to billions in losses.
The regulation appears to have inspired European companies to really get their act together in the last months before the GDPR took effect, according to the BitSight data, which also could be the reason for the EU’s cybersecurity improvement in the months after, Stephen Boyer, founder and chief technology officer, told Security Ledger.
“Right around and building up to the regulation, people were really scrambling [to shore up security],” Boyer said. “When we measured it, we saw a really interesting rise. It’s a a very marked improvement out of EU.”
The GDPR connection
Boyer acknowledged that the improvement “could be lucky.” However, given the feedback he and his colleagues at BitSight received from companies when the GDPR went into effect, it seems more likely the improvement was due to the enactment of the law and companies’ concern with compliance, he said.
“There was very much a hyper focus around this are right around the timing of GDPR compliance and the go-live date,” Boyer told Security Ledger.
BitSight researchers analyzed the security rating of companies across seven regions: Europe, Oceania, North America, Middle East, South America, Asia and Africa, with ratings falling between 520 and 600 depending on security performance when analyzing 23 factors. Those factors include the existence of system compromise due to malware, vulnerability patching and system configurations, Boyer said.
All the regions except Europe either held steady or showed decline in their overall ratings, making the connection between the improvement and the enactment of GDPR fairly obvious, he said.
There also was a slight dip in ratings once the regulation had been in effect a few months, which Boyer said isn’t a big surprise given that it reflects human nature. “It’s like when people scramble [to make improvements] and then they revert to old habits and lose focus,” he said.
In addition to overall cybersecurity performance rating, BitSight also examined one security factor more closely in its research–companies’ effectiveness in closing exposed Internet service ports. This is a vulnerability that has been exploited widely–notably in some recent major cybersecurity incidents, including the WannaCry ransomware attack and the high-profile Equifax data breach, Boyer said. Europe and Africa both showed clear improvement in this security aspect as well, according to the data.
While researchers can’t say for sure this improvement in Europe was related to the GDPR–and don’t have a clear reason for the performance spike in Africa, where there was no such regulation enacted during the time frame–it is in companies’ overall best interest to bolster efforts to tighten up security around such a critical known exploit, Boyer said.
“If you‘re going to think about how to reduce your risk [especially] having a penalty involved, you’re going to want to reduce exposure,” he said. “It makes sense you would focus on that.”
Overall, the research, though inconclusive, demonstrates that cybersecurity-related policy can make a difference when it comes to company’s overall security practices–and in a fairly short time frame, Boyer said.
“What we’re seeing here is policy does matter and it can have an impact,” he said. “When you hold organizations accountable for something, you can get some sort of response. In this case, the response looks fairly positive.”
The reason for the apparent immediate effectiveness of the GDPR is most likely the severe financial penalties companies stand to incur if they don’t comply, Boyer said. As is often the case in business, money talks.
“Companies can be fined up to four percent of global revenue,” he said. “That could be billions of dollars. So now cybersecurity isn’t just an IT issue anymore–this is a business-level, board level issue.”
Boyer said it’s crucial that BitSight and other security experts continue to measure the data and see if the GDPR has a lasting effect on business-level cybersecurity practices or if this is just a one-time thing. Either way, analyzing data about cybersecurity performance in the wake of regulation like this is a useful way to inform future policy decisions that could lead to improved security in companies across the globe, he said.
“This could be a signal or lesson learned for other policy makers who may need to elevate their game or [recognize] a pattern that could be a recipe for success,” Boyer said.