Well, there is good news and there is bad news. The good news we covered last month, with our post covering a survey that found increased cybersecurity awareness among business leaders could be attributed to the EU’s General Data Protection Regulation (GDPR).
Now for the bad news. With only a handful of months left before the GDPR is slated to go into effect, new research finds that more than half of employees in the U.S. are fully unaware of the regulation. It’s a peculiar disconnect with 53 percent of companies based in the U.S. citing GDPR preparedness as a top priority.
The findings are based on the 2018 Eye on Privacy Report from MediaPro [registration required], which surveyed 1,000 U.S. residents to test their understanding of data privacy best practices and global and national regulations that pertain to privacy.
Here are some highlights:
- 59 percent of respondents said the GDPR was “completely new” to them
- 8 percent of respondents said they were unsure if they should report a cybercriminal stealing sensitive client data while at work
- Finance sector employees did not consider tax information any more sensitive than respondents from the six other industries, including education and healthcare, included in the survey.
- Respondents in the technology sector demonstrated the least ability to correctly identify scenarios that could put private data at risk, such as reportable privacy incidents.
Not surprisingly, respondents were most familiar with the Health Insurance Portability and Accountability Act (HIPAA), with 52 percent of respondents believing that they knew HIPAA basics or were highly knowledgeable and could do what is necessary to be compliant. However, only 21 percent were familiar with the Fair Credit Reporting Act (FCRA), with 41 percent saying they either knew the basics of the credit-reporting regulation or knew a great deal about it. Finally, 49 percent and 44 percent said that they knew little about the Children’s Online Privacy Protection Act (COPPA) and the Electronic Communications Privacy Act (ECPA).
With those results, it’s no surprise that employees surveyed also had a lack of awareness when it came to the handing of sensitive data throughout their lives.
One of the most interesting exercises in this survey involved employees reaction to potential privacy-related incidents. In the survey, respondents were presented with eight scenarios and asked if the events were reportable. Here are their overall responses to the various scenarios:
- Being mistakenly sent an encrypted email by a coworker (Report)
- Spotting sensitive information left by the copier (Report)
- Noticing that security software on a shared workstation has been disabled (Report)
- IT staff installing software on your work computer to track internet usage (Do Not Report)
- Enabling cookies on your browser and receiving targeted ads for vacation spots (Do Not Report)
- Inadvertently posting restricted information to your personal Facebook account, then immediately deleting it (Report)
- Learning that a cybercriminal has stolen the names, addresses, and birth dates of several clients (Report)
- Noticing that your new car collects and shares data on location, speed, and seatbelt usage (Do Not Report)
The good news here is that most of these responses show good knowledge on what is reportable and what isn’t, although I wouldn’t report (besides a courteous note to the sender) mistakenly receiving an encrypted email – it was encrypted after all, so no damage was done.
These results tell me that there’s more good news to be found. While many employees are not familiar with the overarching regulations: they do know tactically what to do in most situations presented to them in this survey. That probably speaks to a win for enterprise processes and training.
This is a Security Bloggers Network syndicated blog post authored by Cybersecurity Matters. Read the original post at: Cybersecurity Matters – DXC Blogs