Half of companies fail to tell customers about data breaches, claims study

Come the GDPR, failing to inform the authorities and customers of data breaches will be illegal - and subject to massive fines

Half of organisations don't bother telling customers when their personal information might have been compromised following a cyber attack, according to a new study.

The latest survey from security firm CyberArk comes with the full implementation of the European Union General Data Protection Regulation (GDPR) just months away.

Organisations that fail to notify the relevant data protection authorities of a breach within 72 hours of finding it can expect to face crippling fines of up to four per cent of turnover - with companies trying to hide breaches likely to be hit with the biggest punishments.

The findings have been published in the second iteration the CyberArk Global Advanced Threat Landscape Report 2018, which explores business leaders' attitudes towards IT security and data protection.

The survey found that, overall, security "does not translate into accountability". Some 46 per cent of organisations struggle to stop every attempt to breach their IT infrastructure.

And 63 per cent of business leaders acknowledge that their companies are vulnerable to attacks, such as phishing. Despite this concern, 49 per cent of organisations don't have the right knowledge about security policies.

There's also a gap in security best practices, opening up organisations to the risk of attack. The study found that 42 per cent of organisations keep passwords stored in plain-text documents. Meanwhile, 21 per cent of them record such information in paper notebooks.

Trust in security can improve a business' reputation, the report suggested. Around 44 per cent of organisations said that potential partners now assess their security before striking deals, while 51 per cent now open up their systems to third-party partners.

David Higgins, director of customer development of EMEA at CyberArk, said it's becoming the norm for businesses to try and conceal cyber attacks.

"Unfortunately, it's not uncommon for organisations to want to hide the extent of damage caused by cyber attacks,' he said in a statement.

"As we've seen in data breaches at Yahoo!, Uber and more, these organisations are either intentionally hiding initial details, or the attacks were more extensive than first thought.

He added: "This sort of behaviour will have massive consequences in the coming year with enforcement of GDPR fines for lack of compliance.

"What's also surprising about this survey is the persistence of rampant poor security best practices and lack of consistency across line of business and IT security leaders - despite strong awareness of risks and continued headline-generating cyber attacks."