Businesses more concerned with security costs than meeting ‘State of the Art’ requirement, finds Trend Micro Study.

The countdown is on and global businesses now have just six months until the General Data Protection Regulation (GDPR) is enforced. A recent study from Trend Micro Incorporated, has found confusion among businesses about the regulations, with 30 per cent unable to agree on what ‘State of the Art’ security requirements entail.

Trend Micro’s survey found wide variation on the definition of ‘State of the Art’ security among the 1,000 IT decision makers from businesses across the globe.

  • While 30 per cent of businesses define it as buying security from an established market leader, another 17 per cent think it means using products that pass independent third-party tests.
  • Additionally, 16 per cent believe it refers to products that are highly rated by analyst reports, and 14 per cent think it covers start-ups providing innovative technology.
  • Worryingly, 12 per cent of IT decision makers are more concerned about the price of security products than whether the products they invest in meet GDPR requirements, and 9 per cent were unable to provide a definition at all.
“There are many hurdles for businesses to overcome in establishing GDPR compliance – trying to demystify what ‘State of the Art’ means is but another challenge on the list,” said Bharat Mistry, principal security strategist for Trend Micro. “Regulatory enforcement bodies should offer further clarification on what ‘State of the Art’ means, so businesses can ensure they’re not stepping into a fine once May 2018 arrives.”

A Breach of Trust

Another hurdle for businesses to conquer involves the new timeline in regards to informing regional Data Protection Authorities, like the Information Commissioner’s Office (ICO) in the UK, and customers affected in the event of a data breach.

  • Despite this, just 63 per cent of businesses have a notification process in place for their customers. And, in countries like the US, there is a state-by-state approach requiring —or not—notification of a breach occurring.
  • However, against GDPR guidelines, 21 per cent of companies have a process to inform their data protection authority but actually avoid notifying customers.
  • Companies are also not currently prepared to handle their customers’ ‘right to be forgotten,’ despite 63 per cent citing that customers are asking for more transparency when it comes to the use of their data.
  • While 77 per cent have a process in place for data they collect, only 64 percent can process requests for data their partners collect.
  • In addition, only 63 percent can process data their cloud service providers hold and 60 percent can fulfil requests relating to data third party agencies collect.
GDPR Purchasing Priorities

While mandating state of the art security does enable GDPR to maintain relevance in the face on continual technology advancement, the lack of specific approach definitions has introduced confusion and challenges around prioritisation of technology.

  • The most commonly implemented solution is intruder identification technology, with 34 per cent incorporating it into their organisation.
  • Data leak protection (DLP) technology is also used by 33 percent of businesses, while 31 per cent have started encrypting their data.
  • Additionally, 29 per cent are encrypting passwords or implementing hardware lockdowns to combat infected USB sticks.
Despite these cybersecurity purchases, this research reveals that the majority of organisations have not taken steps that would qualify their approach as state of the art, suggesting that they are depending on single purpose or legacy defences rather than taking a multi-layered approach.

To ensure data is as secure as possible, a layered cybersecurity defence must be implemented to ensure protection at every level of the IT environment.

However, it’s not just about technology, as investing in education is also a GDPR priority. The research shows 63 per cent of organisations have not yet started to raise awareness, and only 33 per cent having introduced a new data protection policy.

“Educating employees and updating data protection policies is all well and good, but if corporate data isn’t protected, intruders can’t be detected, and if protections aren’t in place to prevent data leaks, businesses don’t have a cybersecurity strategy,” Mistry continued. “There’s no silver bullet to cybersecurity; it’s an all-encompassing war in which multiple techniques are necessary to fight hackers’ increasing pragmatism. Any business that doesn’t realize this quite simply won’t be compliant with the regulation.”

GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

Further information and conference details are available at