As 2014 draws to a close, we’re left picking up the pieces from one of the biggest years in data breach history. Compared to 2012, industry reports show a 100-percent increase in the number of individuals notified of a breach– impacting the bottom line and brand reputation of businesses. Set against the data breach landscape, C-suite executives are being held more accountable by stakeholders, regulators and consumers for security lapses. In fact, industry research suggests 51 percent of consumers will take business elsewhere after a company is breached.
With this in mind, it’s become increasingly easier for security executives to demonstrate the need to be prepared for a data breach the same way companies would plan to face a natural disaster or other major business risk. Decision makers at the highest level should take an active role in both preparation and response. And while we’ve seen more companies answering the call and taking basic steps to prepare for the increasing likelihood of a breach, businesses need to do more than simply check the box to establish an effective incident response plan.
Companies are aware they have a high likelihood of experiencing a security incident. Seventy-three percent of businesses report having a data breach response plan in place yet, a majority of executives (63 percent), feel unprepared to respond to a breach. In these situations, having a plan is only the first step. To respond effectively, a plan must be practiced and updated regularly. This is where companies are failing to execute with 78 percent of businesses reporting they don’t regularly update their data breach response plan to account for changing threats or their own evolving company processes. To ensure a company is prepared for a breach, security executives should view the response plan as they do a fire evacuation plan. Having every employee practice regular drills and data breach response audits ensures everyone knows precisely what to do in the event of an incident. Some companies take this advice to heart with one client recently calling us and other partners as part of a data breach response drill. With the exception of a select few employees that knew about the audit, everyone on the internal and external response team believed they were experiencing a breach. The result was a true reflection of their response process and valuable learnings for improving in case of a real-life scenario.
For a successful data breach response, companies must ensure communications is integrated into the planning process as it’s an essential part of protecting company brand. Immediately following a breach, a company’s corporate reputationis most susceptible to harm with value at risk of declining by as much as 17 percent to 31 percent. This makes the ability to immediately, and effectively, respond to a security incident correctly all the more important. Clear, sincere communication to affected consumers following a breach can help maintain trust and combat “data breach fatigue,” as more than one-third of breached consumers report they’ve ignored data breach notifications from companies. Partnering with a communications team better prepares executives to maintain consumer trust and respond to questions from regulators and the media.
Internally prioritizing security creates a culture of security from the top-down. To do this, the C-suite must allocate proper resources to fund training for employees and up-to-date technology. This need is clearly felt by businesses. Recent research from the Ponemon Institute indicates 69 percent of senior executives identify funding as a major need to improve response activity after a breach.To improve data breach response and create a company-wide focus on security preparedness, investment in department-specific training should trickle down from the CSO and data breach response team. Security executives should ensure each member of the team understands their responsibility to apply prevention and preparedness best practices to each of their own departments.
Senior executives are at a point where they must shift their ways of doing business to emphasize a culture of security and data breach preparedness within their company. Unfortunately, there are several recent examples companies can look to of what can happen if a breach is not handled properly. To prepare, security executives must recognize data breaches have moved beyond the IT department to become a holistic business issue. It is more important than ever that C-suite executives be prepared to respond to a breach and protect customers – or face consequences of increased scrutiny resulting in reputational and financial damage.
More information on how businesses can prepare for a data breach is outlined in Experian’s annual data breach response guide: http://bit.ly/2014-2015-response-guide.