With the European Union's General Data Protection Regulation (GDPR) going into effect this May and lawmakers in the US proposing stricter data breach legislation, companies are facing increased pressure to better protect data and improve notification procedures. However, they’re falling down on the job.

Tripwire surveyed 406 cybersecurity professionals and found that just over three quarters (77%) of companies subject to GDPR could meet the 72-hour notification window, with 24% claiming they could notify customers of a data breach within 24 hours.

However, when asked how prepared their organization was to notify customers in the event of a data breach, less than a fifth (18%) said that they were fully prepared with a process in place. The majority (73%) said they were “somewhat prepared” and would have to figure things out “on the fly.”

“When it comes to cybersecurity, it’s shortsighted to figure things out on the fly,” said Tim Erlin, vice president of product management and strategy at Tripwire. “The majority of data breaches and security incidents can be avoided by following basic security steps and implementing tried and tested foundational controls. With GDPR coming into effect this year, running a business without a fully baked plan is really asking for trouble.”

When asked to characterize their company’s capabilities for knowing where its customer data is stored versus for protecting customer data, respondents were more confident in knowing where the data is. Over a third (35%) said their knowledge of where the customer data is stored is "excellent" by comparison to just over a fifth (21%) saying the same for their ability to protect customer data.

Other findings from the study revealed that most don’t feel they are fully prepared for any aspect of a security breach. Less than a fifth (18%) felt they were fully prepared with a cross-functional team in place to work across IT, finance and communications. Nearly three quarters (73%) were not fully prepared to protect customers, and only a fifth (22%) felt prepared to absorb potential financial penalties as a result of a security breach.

“There are plenty of tried and tested frameworks available from governing bodies in the cybersecurity space that can help organizations who feel like they’re struggling to prepare for a security incident and more specifically, GDPR,” Erlin added. “If you are an organization subject to GDPR – and as the rules apply to all companies worldwide that process personal data of European Union (EU) data subjects, that will be the majority of global businesses – you are not alone. Start researching for resources that cater to your needs now to help you prepare, so that you aren’t hit with a big fine come May 2018.”