Nearly two-thirds (63%) of IT professionals are more concerned about data privacy and security than they were two years ago, but their poor online practices continue to drive cyber-risk, according to a new study published on the EU’s Data Protection Day.
Also known as Data Privacy Day in North America, the awareness-raising event was originally slated for January 28 13 years ago as this was the date that the Council of Europe’s data protection convention (Convention 108) was opened to signature.
However, while most of the respondents to Yubico’s study — who were IT and information security pros in the US, UK, Germany and France — said they were increasingly concerned about privacy, bad habits persist.
Some 69% admitted they had shared passwords with colleagues, and over half (51%) reuse an average of five passwords across business and personal accounts. Over half (55%) don’t use two-factor authentication at work and 67% do not use it for personal accounts.
These findings are especially concerning given that IT professionals should theoretically be leading by example in organizations and society at large by following best practices in security and privacy. They also hold the keys to privileged corporate accounts and so represent a major target for hackers.
Even more concerning is the fact that 51% of those polled said they’d suffered a phishing attack at home and 44% at work, but over half (57%) of these claimed it didn’t affect their password behavior.
Thanks to the GDPR, consumers and organizations around the world are becoming more privacy-aware. Google was recently fined €50m in France in the first major investigation by regulators, with experts predicting many more will follow for both privacy and security infractions.
Aside from the ‘stick’ of regulatory fines, the likes of the ICO are hoping that the ‘carrot’ of improved transparency, operational efficiency, competitive differentiation and security, will encourage organizations to get compliant.
A Cisco study of over 3000 global security and privacy professionals released last week claimed that only 37% of GDPR-ready companies experienced a data breach costing more than $500,000, versus 64% of the least GDPR-ready firms.
In addition, those investing in GDPR compliance experienced shorter delays due to privacy concerns in selling to existing customers: 3.4 weeks as opposed to 5.4 weeks for the least GDPR-ready organizations.
UK firms were among the leaders globally, with 69% claiming to be GDPR-ready, compared to just 42% in China and 45% percent in Japan.