Fourth Annual Data Breach Study: Planning Does Not Equal Preparedness
Findings from an annual Ponemon study on data breaches showed that while more companies have plans in place, they still lack confidence and are failing to take crucial steps as part of the preparedness process, preventing them from being truly ready for a real life data breach incident.
The Fourth Annual Study: Is Your Company Ready for a Big Data Breach? sponsored by Experian® Data Breach Resolution said that given the current security landscape, and the increased frequency and severity of data breaches, it is not enough to just develop a response plan that sits on a shelf. Companies must realize that planning is not the same as being fully prepared, and this year’s survey unfortunately indicated signs of complacency by many organizations in their levels of preparedness.
For example, this year, 41 percent of respondents said their organization is prepared to respond to a data breach involving business confidential information and intellectual property, only a three-percent increase from 2014. Similarly, only 39 percent said their organization is effective at doing what needs to be done following a material data breach to prevent the loss of customers’ and business partners’ trust and confidence, with only a slightly lower 33 percentage of respondents in 2014.
Undoubtedly, said the study, there are “leaders and laggards” when it comes to data breach incident response planning. While some organizations are taking incident response planning seriously and ensuring their plans are relevant, up to date and actionable, many others are still simply “checking a box” and relying on incident response plans that are not comprehensive.
The 2016 data breach preparedness study revealed several key findings about the growth and maturity of incident response planning across industries. The top findings include:
Many organizations still lack confidence in their ability to respond to an incident because they are failing to take crucial steps as part of the preparedness process. Despite most companies having a response plan, only 27 percent of organizations are confident in their ability to minimize the financial and reputational consequences of a material data breach. This lack of confidence could be remedied by companies taking simple, yet crucial steps to truly prepare for a breach, the study said. Based on findings, the following are key areas where organizations should improve their preparedness:
- Inconsistent Review Process:
- 38 percent of organizations have no set time period for reviewing and updating the data breach response plan
- 29 percent have not reviewed or updated their plan since it was put in place
- Lack of Integration:
- Less than half (46 percent) of the organizations integrated response plans into their business continuity plans
- Insufficient Practicing of Plans:
- The majority (68 percent) of organizations practiced their data breach response plans last year, but only 39 percent practiced at least twice
- Poor Engagement with Regulators:
- Only 12 percent of organizations met with these influencers in advance of an incident
- Failure to Manage Financial Risk:
- Only 38 percent of companies have a data breach or cyber insurance policy
- Of those who do not have cyber insurance (55 percent), 40 percent have no plans to purchase it
- Low Participation in Information Sharing and Analysis Centers (ISACs):
- 59 percent of organizations do not participate in an initiative or program for sharing information to prevent and better equip companies to manage future attacks
Companies are not keeping up with the evolving threat and regulatory landscape.
Organizations are struggling to adapt to the ever-changing data breach landscape and account for emerging risks. One of the biggest threats on everyone’s radar is ransomware, a type of software designed to lock down access to a computer system until a sum of money is paid, yet companies are neither confident nor prepared to deal with this type of an incident.
- 56 percent of respondents are not confident is their organization’s ability to deal with a ransomware incident
- Only 17 percent of respondents said employees are educated about the risk
- Almost half (45 percent) of companies have taken no steps to prepare for a ransomware attack
Additionally, many companies are not prepared to respond to an international breach. As more companies expand beyond their national borders and are faced with new security regulations and mandates (i.e. GDPR), it’s vital that they understand the legal and regulatory framework of every country in which they operate. Unfortunately, the majority of companies are still failing to account for new scenarios and international incidents in their response plans.
- 42 percent of respondents said that their organization did not include any process for managing an international data breach in their response plans
- Only 35 percent of companies’ response plans include procedures for responding to a data breach involving overseas locations
As the world becomes more globalized, multi-national companies need to broaden their perspective when it comes to planning to not only consider updating the response process and team, but also ensure it accounts for changing regulations across borders.
Companies fail to properly engage C-Suite throughout the life cycle of a breach. Despite general acceptance and awareness for C-Suite involvement in data breach response planning and preparedness, senior executives are not being briefed or effectively engaged by response teams ahead of an incident. This ultimately leads to less effective breach response and could be part of the reason why many companies surveyed feel they don’t have the resources they need to be effective.
- While almost half (43 percent) of respondents said their company’s board of directors, chairman and CEO are informed and involved in plans to deal with a possible data breach, their participation is minimal:
- 17 percent regularly review the details of the company’s data breach response plan
- 20 percent provide detailed feedback about the data breach response plan
- 16 percent participate in a high-level review of the organization’s data protection and privacy practices
The majority of C-Suite involvement takes place following an incident, with 40 percent of respondents noting that their executive team requested to be notified as soon as possible if a material data breach occurred.
Companies, however, are recognizing the need to evaluate and hold third-parties who store information more accountable for security practices. On the upside, the majority of companies are taking critical steps to minimize the consequences of a potential third-party data breach. An overwhelming majority require:
- That third parties have an incident response plan their organization can review (80 percent)
- That third parties notify their organization when they have a data breach (93 percent)
- Regular audits of their third parties’ security procedures (50 percent), an 11 percent increase from the previous year’s survey
Also, in addition to documenting and practicing data breach response plans, just over half of companies (51 percent) conduct third-party cyber security assessments to prepare.
Overall, this year’s findings indicate that companies recognize the need to develop response plans and prepare for security risks ahead of time, but are struggling to adapt quick enough and take action beyond the basics. To be a leader in the response space, companies need to move beyond simply establishing a data breach response plan to check the box – risking great exposure to cybersecurity threats – and take the additional steps to be better prepared because at the end of the day, planning does not equal preparedness.