Experian Study on Data Breaches Reveals Gaps in Response Plans

While an increasing number of companies have a basic data breach response plan in place, many plans do not cover important steps and executives lack confidence in their ability to manage a major breach, according to a new study.

Sponsored by Experian Data Breach Resolution and conducted by the Ponemon Institute, the third annual study, Is Your Company Ready for a Big Data Breach?, probed more than 600 executives about their response plans and level of preparedness.

The good news is that 81 percent of survey respondents (an increase from 73 percent in 2014) have a response plan in place and there is more senior executive involvement, with 39 percent of boards of directors and chief executive officers being involved in incident response planning. This is up 10 percent from 2014.

However, despite data breaches being a major concern for organizations, many areas the survey addressed had less than stellar results. Only 34 percent of survey respondents said their response plan was effective, and only 28 percent are confident in their ability to minimize the financial and reputational consequences of a breach.

Additional key findings from the study include:

While more companies have a response plan in place (81 percent), they often lack important details and are not practiced regularly.

•More than half of respondents do not have a cyber insurance policy (53 percent)

•Forty-five percent of respondents say their company either does not practice responding to a data breach or waits more than two years to practice

•More than a third (37 percent) of respondents do not address procedures for responding to a data breach involving an overseas location

A majority of business leaders surveyed acknowledge that the potential damage data breaches can cause to corporate reputation is significant. The combination of the higher likelihood and significant impact has caused data breaches to be a major issue across all sectors.

•When asked about what issues would cause the greatest impact to corporate reputation, data breaches ranked second (39 percent) only to poor customer service (55 percent) and ahead of product recalls (35 percent), publicized lawsuits (25 percent) and environmental incidents (16 percent)

•The most concerning types of incidents are loss or theft of intellectual property (64 percent) and consumer data (53 percent)

•The biggest barriers to improving IT security to respond to a breach is lack of visibility into end-user access of sensitive and confidential information (60 percent) and proliferation of mobile devices and cloud services (45 percent)

Security magazine spoke with Michael Bruemmer, Vice President, Experian, about the study results.

Are you surprised that data breach preparedness, while it has improved, is not where it should be?
Michael Bruemmer: Yes - we were surprised to find that not all companies are taking action to prepare for a data breach or more notably practicing their plan. This is why many executives are not confident in their company's ability to successfully respond to a security incident. Only 34 percent of survey respondents said their response plan was effective, and only 28 percent are confident in their ability to minimize the financial and reputational consequences of a breach.

The report suggests that a company can include a strategy to minimize the consequences of the theft of business confidential information and intellectual property in data breach response plans.” What are companies including in their breach response plans?
Michael Bruemmer: At a base level, a data breach response plan includes the precise steps that would be taken in the event of the breach, and clearly detail roles and responsibilities of the response team. At a minimum, this should include involvement from IT, legal counsel, risk and compliance, public relations, human resources and customer service.

According to the study, some of the primary guidance companies account for in the data breach response plan include distributed denial of service attack (DDoS) (89 percent of respondents), loss or theft of personally identifiable information (79 percent of respondents), loss or theft of information about customer affiliations/associations that would result in damage to their organization (75 percent of respondents) and loss or theft of payment information, including credit cards (71 percent of respondents).

However, only 52 percent surveyed accounted for the potential loss of intellectual property or confidential business information in their response plan, and only 39 percent were prepared to manage the loss or theft of sensitive paper documents – indicating areas companies can improve their plans.

To help businesses identify gaps in their plan and areas to improve, we’ve outlined some of the key components for data breach preparedness in our annual 2015-2016 Data Breach Response Guide.

What should, as the report notes, a “strategy to maintain the trust of customers, business partners and other key stakeholders in data breach response plans,” entail?
Michael Bruemmer: Communication is key to maintaining trust. Once a data breach happens, companies should prioritize quick and transparent communication with customers and key stakeholders. According to a consumer survey we conducted last year, maintaining trust after a data breach requires a thoughtful response and actions. Consumers indicated companies that provide free identity theft protection (63 percent), deliver clear communications (67 percent) and disclose all of the facts (56 percent) following a data breach were more likely to keep their business. The good news is executives heard this feedback as a majority agree identity theft protection and credit monitoring should be provided to customers when a breach occurs.

Who should be the person within a company that is ensuring data breach preparedness?
Michael Bruemmer: The lead of a data breach response team can be different for every organization but the most important consideration is that the individual has access to the C-suite, an understanding of the data breach landscape and the respect of their peers. It is important the incident response team have a lean approval chain. One person should be the appropriate delegated authority to make executive decisions and articulate questions or concerns quickly up the chain of command in the event of an incident.

According to the study, 81 percent of respondents say their organizations have a data breach notification plan in place and the person most in charge is the chief information security officer (23 percent of respondents) followed by the compliance officer (13 percent of respondents) and head of business continuity management (12 percent of respondents).

Once a data breach takes place, whom within a company needs to be out front in the public and communicating with shareholders and customers and media?
Michael Bruemmer: Typically, the public relations team will guide a company on its communications approach and most often, the chief executive officer needs to be the one out front and center. Consumers need to know the company cares and takes the incident very seriously. Because the potential loss of reputation and brand loyalty poses a major risks to organization after a breach, it is essential that companies are prepared with the right communication strategies and have an understanding of best practices well ahead of time.

As part of the data breach response plan, companies should be prepared to equip spokespeople with statements on steps being taken to investigate the issue and consider mentioning that they will be provided a remedy of identity protection if it is being provided to those affected.

Companies should also be prepared to ensure frontline employees have the information they need to communicate to their customers about what happened, what the company is going to do in response and what actions the customer should take to protect themselves from fraud.

Are you seeing consumers on social media discussing data breaches the same way that they would discuss poor customer service?
Michael Bruemmer: While we don't see customers turning to social media as their day-to-day outlet to discuss data breach issues, just like a news cycle it can see a spike in conversation in the initial days surrounding an incident. However, that doesn't mean executives aren't concerned with the potential reputational impact a data breach can have with consumers. Executives ranked data breaches second only to poor customer service in terms of potential to damage business reputation. Perhaps surprisingly, this was ranked ahead of product recalls, environmental incidents and publicized lawsuits.

Read the full study at http://www.experian.com/data-breach/2015-ponemon-preparedness.html

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.