"Regulations such as the General Data Protection Regulation (GDPR) and the Australian Prudential Regulation Authority's (Apra's) CPS 230 standard have led organisations to become "really obsessed" with the 72-hour notification window following a data breach, according to Shannon Murphy, global security and risk strategist at Trend Micro."
"However, this focus means many are still making common and costly mistakes when dealing with incidents."
"Murphy said the lack of a formal incident response plan increases the stress on those handling such events, and consequently, "people are burning out". This high-pressure environment can lead to two other critical risks. The first is evidence being damaged, destroyed or otherwise invalidated by panicked attempts to restore services as quickly as possible. The second is the human tendency to start a blame game, which can also lead to evidence being deliberately concealed or destroyed."
Regulatory requirements such as GDPR and APRA CPS 230 have driven intense focus on meeting a 72-hour breach-notification deadline. That focus can prompt organisations to prioritise rapid service restoration over careful incident handling, increasing the chance of common and costly mistakes. Lack of a formal incident response plan raises stress for responders and contributes to burnout among staff. High-pressure reactions can produce two principal risks: evidence being damaged, destroyed or otherwise invalidated by hurried recovery attempts, and a blame culture that can lead to deliberate concealment or destruction of evidence. No empirical evidence or linked sources are provided showing these outcomes have increased specifically because of the 72-hour requirement.
Read at DataBreaches.Net
Unable to calculate read time
Collection
[
|
...
]