Cybersecurity in Europe is Improving: Thank You GDPR?
Jake Olcott | December 4, 2018
After years of debate over whether to impose new cybersecurity regulations on companies, General Data Protection Regulation (GDPR) laws went into effect in Europe in May 2018. Already we’ve seen several data breach victims ordered to pay fines under the new rules and cookie disclosure notices are popping up on more websites than ever.
But let’s think about the bigger picture. Is GDPR working? How would we know?
For years, global policymakers have struggled to develop effective responses to cyber threats, in part because we just don’t have the data to help us understand what’s actually happening in cyberspace. Think about it — if you’re a U.S. policymaker considering ways to address American unemployment, you can turn to the Department of Labor’s Bureau of Labor Statistics for data that measures labor market activity, working conditions, and price changes in the economy. Or the U.S. Census Bureau for quality data on personal and economic issues. When it comes to cyber crime, there’s just not much to work with — the U.S. Bureau of Justice Statistics last updated its information in 2005. There’s no objective data set to turn to for cyber vulnerabilities, cybersecurity performance, cyber risks, or anything similar.
BitSight is trying to change this dynamic. Thanks to our massive data collection and processing techniques and capabilities, BitSight is able to collect, evaluate, and measure cybersecurity performance across global organizations, providing unique and valuable insight into global, regional, and sectoral performance trends across different sized organizations.
When BitSight recently analyzed security performance across more than 140,000 organizations worldwide, the findings were surprising. While our research found a steady decrease in security performance across all regions of the globe, organizations within continental Europe actually improved their security performance over the last year. Some of the areas that organizations have improved on include the implementation of stronger controls to reduce Internet exposed services (open ports). These improvements align well with the lead-up to the implementation of GDPR, and continue after the effective date.
Cybersecurity Performance by Continent
Effectiveness In Reducing Internet Exposures (Open Ports)
How will policymakers judge the necessity or effectiveness of these efforts? On what sectors should they spend their time and focus? On what sized companies? What data will they use? How will they model the impacts?
Global policymakers must begin thinking about the essential elements that will be necessary to build a lasting legal and policy framework to address these significant cyber risks. The Bureau of Labor Statistics was established in 1913; as we think about the next 100 years, and all of the changes that will come to our globe as a result of technology and interconnectivity, is there be any doubt that independent, quantitative cybersecurity data will be critical to our society?