New survey reveals how data breaches impact consumer confidence, with majority of respondents calling for harsher punishments and prepared to boycott breached organisations
13 November, 2013 – LogRhythm, a leader in cyber threat defence, detection and response, today announced the results of its annual survey that reveals the UK public wants to be informed whenever an organisation suffers a data breach, and that more needs to be done to punish companies that lose sensitive information. The survey also shows that consumers call for breach notification laws that make it mandatory for all breaches to be reported to all customers – irrespective of scale.
In the survey of 1,000 consumers, conducted for LogRhythm by OnePoll, two-thirds of respondents (66 percent) said that there should be legislation forcing organisations to declare any data breaches experienced, with the same percentage stating that customers should be told immediately. While current EU legislation requires only affected customers of telecoms operators or ISPs to be notified, 64 percent of respondents reported a desire for all customers to be informed, regardless of whether their data was comprised. On a similar note, the majority of respondents feel that not enough is being done to uniformly punish organisations that lose sensitive data.
“The barrage of data breaches this year has clearly impacted the way in which consumers perceive the security of their personal information, which points to an urgent need for organisations to up the ante on data protection,” said Ross Brewer, vice president and managing director for international markets at LogRhythm. “EU data privacy laws go some way toward mandating full breach disclosure, but the feedback from consumers is that much more needs to be done – across industries far beyond the telecoms sector. However, with 53 percent of respondents admitting that they would think twice about doing business with breached organisations, businesses face a very difficult dilemma indeed.”
When it comes to consumer confidence, the results were equally bleak, with 48 percent believing it inevitable that their data will be compromised by hackers at some point. Echoing the results of a similar survey in November 2012, social media and gaming websites were deemed the least trusted keepers of personal information, while healthcare providers and financial services institutions were favoured for security.
“Interestingly, when compared to last year’s results, the inevitability of data breaches is more apparent, which could be signalling a worrying era of data breach malaise. Perhaps, as initiatives such as the EU’s 24 hour breach notification regulations develop, we’ll see confidence increase and consumers becoming less resigned to the fate of their privacy. However, organisations should not be motivated solely by the threat of regulatory fines to keep data secure, and they must implement their own safeguards in an effort to reassure customers their information is safe – particularly with so many people willing to boycott the victim organisations.”
In light of ongoing allegations of government-sponsored espionage, respondents reported concern over the level of information sharing between large organisations and internet companies – with 63 percent worried about the impact this has on who sees their private data. In terms of national cyber security, 16 percent of British consumers believe government organisations are doing enough to protect national assets from cyber security threats, compared to just 11 percent in 2012.
“This year, the UK government has been very outspoken about its drive to commit more resources to cyber security, which could be a reason for the slight increase in public confidence – however, it has been a tough few months, and as NSA and GCHQ spying headlines continue to mount, confidence is understandably still low,” continued Brewer. “In any case, the research proves that more needs to be done by governments, industry regulators and organisations themselves to restore the confidence of those who matter most – the people handing over their private information. As consumers become more wary of how their data is used, there really is no room for excuses or lax security.”
LogRhythm urges organisations to make better use of the data generated by networks so that potential threats can be identified before they have a chance to escalate. Using security intelligence platforms such as Security Information and Event Management (SIEM) as part of an integrated Protective Monitoring strategy enables automated, centralised collection and analysis of log data that ensures anomalies are identified as they occur. Developing this deep insight requires the ability to see even minor changes that may occur across the IT estate, such as files being altered or copied to portable storage devices.