Freely subscribe to our NEWSLETTER

When assessing the public websites of FTSE 30 organisations, RiskIQ found that more
controls on external facing web assets, known as an organisation’s digital
footprint, are needed in order to support requirements ahead of the fast-approaching
GDPR deadline. Most data capture forms found on websites fall within the scope of
GDPR as they collect personal data. The regulation emphasises that provisions should
be in place to ensure that PII is securely captured and processed. In the UK, the
Information Commissioner has provided guidance that, in the case of data loss where
encryption software has not been used to protect the data, regulatory action may be
pursued. [1]

RiskIQ research on the public facing websites of FTSE 30 organisations reveals:
– 99,467 live websites in total, an average of 3,315 websites per
organisation
– 13,194 pages on those sites that collect PII; an average of 440 pages per
organisation
– 34% of pages that collect PII are doing so insecurely
o 29% are not using encryption
o 3.5% are using very old, vulnerable encryption algorithms
o 1.5% have expired certificates

Insecure collection of PII is not just a GDPR compliance violation. The loss of
personal data, profit, and reputation resulting from the use of insecure forms is a
legitimate concern for consumers, as well as shareholders. In addition to personal
claim liability, Article 83 provides guidance on fines for GDPR faults, which start
at the greater of €10m or 2% of global annual turnover for the preceding financial
year - or even double depending on the infraction. This applies to all companies
actively engaging with European citizens, regardless of whether they have a physical
presence in Europe.

GDPR hygiene extends beyond secure collection. As part of the regulation’s
fairness and transparency guidelines, organisations must clearly state at the point
of capture how they’ll be using an individual’s data. Permission to use their
data must be explicit and demonstrated through an action such as ticking a box, a
significant departure from the ‘opt out’ process most organisations have in
place today.

Bob Tarzey, analyst and director, Quocirca Ltd., said, “While this RiskIQ research
is focused on large UK companies, the findings will be representative of all
organisations. Many will already have the data security basics in place to comply
with the regulations that precede GDPR. However, GDPR has many additional
requirements, especially around the way data is captured and processed. These
include obtaining explicit opt-in from data subjects. Before an organisation can
address GDPR, it needs to fully understand the extent of its online data gathering
activities. With enforcement of GDPR less than a year away, the time to act is
now."

The challenge for large, global organizations is the sheer volume and complexity of
websites and web applications that need to be accounted for, not only for security
purposes but also for regulatory compliance such as GDPR. RiskIQ’s Digital
Footprint helps organizations address this challenge by discovering and monitoring
an organisation’s public facing digital footprint, including websites and
associated pages and forms. It highlights both security and policy violation
exposures in that footprint to enable security and GRC teams to reduce their attack
surface and maintain compliance.

“Thorough knowledge of an organisation’s web presence is crucial to steering
clear of potential GDPR repercussions,” said Colin Verrall, vice president, RiskIQ
EMEA. “Our customers are using RiskIQ Digital Footprint to capture their full
digital footprint and actively identify potential areas of non-compliance, including
insecure data collection pages and forms.”

[1] https://ico.org.uk/for-organisations/guide-to-data-protection/encryption/