After years of debate over whether to impose new cybersecurity regulations on companies, General Data Protection Regulation (GDPR) laws went into effect in Europe in May 2018. Already we’ve seen several data breach victims ordered to pay fines under the new rules and cookie disclosure notices are popping up on more websites than ever.
But let’s think about the bigger picture. Is GDPR working? How would we know?
For years, global policymakers have struggled to develop effective responses to cyber threats, in part because we just don’t have the data to help us understand what’s actually happening in cyberspace. Think about it — if you’re a U.S. policymaker considering ways to address American unemployment, you can turn to the Department of Labor’s Bureau of Labor Statistics for data that measures labor market activity, working conditions, and price changes in the economy. Or the U.S. Census Bureau for quality data on personal and economic issues. When it comes to cyber crime, there’s just not much to work with — the U.S. Bureau of Justice Statistics last updated its information in 2005. There’s no objective data set to turn to for cyber vulnerabilities, cybersecurity performance, cyber risks, or anything similar.
Bitsight is trying to change this dynamic. Thanks to our massive data collection and processing techniques and capabilities, Bitsight is able to collect, evaluate, and measure cybersecurity performance across global organizations, providing unique and valuable insight into global, regional, and sectoral performance trends across different sized organizations.
When Bitsight recently analyzed security performance across more than 140,000 organizations worldwide, the findings were surprising. While our research found a steady decrease in security performance across all regions of the globe, organizations within continental Europe actually improved their security performance over the last year. Some of the areas that organizations have improved on include the implementation of stronger controls to reduce Internet exposed services (open ports). These improvements align well with the lead-up to the implementation of GDPR, and continue after the effective date.