Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Security Leadership and ManagementSecurity Education & TrainingCybersecurity News

Fourth Annual Data Breach Study: Planning Does Not Equal Preparedness

cyber6-900px.jpg
October 5, 2016

Findings from an annual Ponemon study on data breaches showed that while more companies have plans in place, they still lack confidence and are failing to take crucial steps as part of the preparedness process, preventing them from being truly ready for a real life data breach incident.

The Fourth Annual Study: Is Your Company Ready for a Big Data Breach? sponsored by Experian® Data Breach Resolution said that given the current security landscape, and the increased frequency and severity of data breaches, it is not enough to just develop a response plan that sits on a shelf. Companies must realize that planning is not the same as being fully prepared, and this year’s survey unfortunately indicated signs of complacency by many organizations in their levels of preparedness.  

For example, this year, 41 percent of respondents said their organization is prepared to respond to a data breach involving business confidential information and intellectual property, only a three-percent increase from 2014. Similarly, only 39 percent said their organization is effective at doing what needs to be done following a material data breach to prevent the loss of customers’ and business partners’ trust and confidence, with only a slightly lower 33 percentage of respondents in 2014.

Undoubtedly, said the study, there are “leaders and laggards” when it comes to data breach incident response planning. While some organizations are taking incident response planning seriously and ensuring their plans are relevant, up to date and actionable, many others are still simply “checking a box” and relying on incident response plans that are not comprehensive.

The 2016 data breach preparedness study revealed several key findings about the growth and maturity of incident response planning across industries. The top findings include:

Many organizations still lack confidence in their ability to respond to an incident because they are failing to take crucial steps as part of the preparedness process. Despite most companies having a response plan, only 27 percent of organizations are confident in their ability to minimize the financial and reputational consequences of a material data breach. This lack of confidence could be remedied by companies taking simple, yet crucial steps to truly prepare for a breach, the study said. Based on findings, the following are key areas where organizations should improve their preparedness:

  •          Inconsistent Review Process:
    •    38 percent of organizations have no set time period for reviewing and updating the data breach response plan
    •    29 percent have not reviewed or updated their plan since it was put in place
  •          Lack of Integration:
    •    Less than half (46 percent) of the organizations integrated response plans into their business continuity plans
  •          Insufficient Practicing of Plans:
    •    The majority (68 percent) of organizations practiced their data breach response plans last year, but only 39 percent practiced at least twice
  •          Poor Engagement with Regulators:
    •    Only 12 percent of organizations met with these influencers in advance of an incident
  •          Failure to Manage Financial Risk:
    •    Only 38 percent of companies have a data breach or cyber insurance policy
    •    Of those who do not have cyber insurance (55 percent), 40 percent have no plans to purchase it
  •          Low Participation in Information Sharing and Analysis Centers (ISACs):
    •    59 percent of organizations do not participate in an initiative or program for sharing information to prevent and better equip companies to manage future attacks

Companies are not keeping up with the evolving threat and regulatory landscape.

Ransomware

Organizations are struggling to adapt to the ever-changing data breach landscape and account for emerging risks. One of the biggest threats on everyone’s radar is ransomware, a type of software designed to lock down access to a computer system until a sum of money is paid, yet companies are neither confident nor prepared to deal with this type of an incident.        

  •          56 percent of respondents are not confident is their organization’s ability to deal with a ransomware incident
  •          Only 17 percent of respondents said employees are educated about the risk
  •          Almost half (45 percent) of companies have taken no steps to prepare for a ransomware attack

International Breaches

Additionally, many companies are not prepared to respond to an international breach. As more companies expand beyond their national borders and are faced with new security regulations and mandates (i.e. GDPR), it’s vital that they understand the legal and regulatory framework of every country in which they operate. Unfortunately, the majority of companies are still failing to account for new scenarios and international incidents in their response plans.

  •          42 percent of respondents said that their organization did not include any process for managing an international data breach in their response plans
  •          Only 35 percent of companies’ response plans include procedures for responding to a data breach involving overseas locations

As the world becomes more globalized, multi-national companies need to broaden their perspective when it comes to planning to not only consider updating the response process and team, but also ensure it accounts for changing regulations across borders.

Companies fail to properly engage C-Suite throughout the life cycle of a breach. Despite general acceptance and awareness for C-Suite involvement in data breach response planning and preparedness, senior executives are not being briefed or effectively engaged by response teams ahead of an incident. This ultimately leads to less effective breach response and could be part of the reason why many companies surveyed feel they don’t have the resources they need to be effective.  

  •          While almost half (43 percent) of respondents said their company’s board of directors, chairman and CEO are informed and involved in plans to deal with a possible data breach, their participation is minimal:
    •    17 percent regularly review the details of the company’s data breach response plan
    •    20 percent provide detailed feedback about the data breach response plan
    •    16 percent participate in a high-level review of the organization’s data protection and privacy practices

The majority of C-Suite involvement takes place following an incident, with 40 percent of respondents noting that their executive team requested to be notified as soon as possible if a material data breach occurred.

Companies, however, are recognizing the need to evaluate and hold third-parties who store information more accountable for security practices. On the upside, the majority of companies are taking critical steps to minimize the consequences of a potential third-party data breach. An overwhelming majority require:

  •          That third parties have an incident response plan their organization can review (80 percent)
  •          That third parties notify their organization when they have a data breach (93 percent)
  •          Regular audits of their third parties’ security procedures (50 percent), an 11 percent increase from the previous year’s survey

Also, in addition to documenting and practicing data breach response plans, just over half of companies (51 percent) conduct third-party cyber security assessments to prepare.

Overall, this year’s findings indicate that companies recognize the need to develop response plans and prepare for security risks ahead of time, but are struggling to adapt quick enough and take action beyond the basics. To be a leader in the response space, companies need to move beyond simply establishing a data breach response plan to check the box – risking great exposure to cybersecurity threats – and take the additional steps to be better prepared because at the end of the day, planning does not equal preparedness. 

KEYWORDS: cyber risk mitigation cyber security data breach incident response

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Dispelling the Dangerous Myth of Data Breach Fatigue; cyber security news

    Experian’s Data Breach Preparedness Study: Increased Investments in Security Aren’t Stopping Breaches

    See More
  • facebook

    Facebook does not plan to notify users affected by data breach

    See More
  • Combating Complacency: Getting the Most Out of Your Data Breach Response Plan

    Combating Complacency: Getting the Most Out of Your Data Breach Response Plan

    See More

Events

View AllSubmit An Event
  • March 6, 2025

    Why Mobile Device Response is Key to Managing Data Risk

    ON DEMAND: Most organizations and their associating operations have the response and investigation of computers, cloud resources, and other endpoint technologies under lock and key. 
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing