Do we need harsher penalties and enforced data breach detection measures?

The spate of high-profile data breaches reported in recent years is leading to increasing public fear about organizations’ ability to prevent and detect cybercrime, according to Bit9 + Carbon Black.

Nearly three-quarters (73%) of consumers say the time it is taking businesses to realize that sensitive customer data has been lost is ‘unacceptable’ and as a result, there are grave concerns about the existence of breaches that have yet to be discovered. The concern has risen to such a degree that over four in five (81%) consumers in Britain actually fear that cybercriminals could already have stolen their personal details without anyone realizing.

Many consumers are now calling for harsher penalties for businesses that could have prevented or detected a breach sooner if they had more effective, next-generation security measures in place:

• 81% of people believe that compromised customers should be compensated by the organization holding their data
• 59% of people say that a fine should be levied on organizations, whilst 40% of those respondents said those fines should be unlimited
• 7% of people actually want individuals in the organization to be culpable for their failures, calling for security officers to face jail time.

The overwhelming majority (94%) of consumers think businesses should have the ability to detect whether customer data has been stolen within 24 hours, whilst 47% said this should be narrowed to a matter of minutes. Nearly two-thirds (63%) think that any business that stores sensitive information about them should keep it under constant, 24-hour surveillance to ensure that a breach can be detected sooner.

The significant majority (93%) of consumers indicated their support for the mandatory and immediate disclosure of any discovered data breaches to the public and the authorities, which is set to be enforced by the forthcoming EU Data Protection Regulation.

However, many believe the EU isn’t going far enough: 94% of respondents believe it should be mandatory for any business storing their data to have appropriate processes in place to ensure they are able to detect if data has been stolen as quickly as possible, so that ignorance cannot be used as an excuse for non-disclosure.

David Flower, Managing Director, EMEA, for Bit9 + Carbon Black said: “It isn’t enough to just put in a firewall and install antivirus software; cybercriminals have long since found their way past those defences. Businesses now need advanced security capabilities that allow them to prevent, detect and respond to threats; not just on the network, but on the endpoint devices where data is stored, accessed and processed. Businesses need to maintain always-on, continuous monitoring so they’re able to notify customers immediately if their data is stolen. This will enable the victim to take measures such as cancelling cards or notifying credit reference firms early enough to prevent the cybercriminals from doing any serious damage.”