Combating Complacency: Getting the Most Out of Your Data Breach Response Plan
Not only does a data breach plan need to be in place, it also needs to be dynamic and highly flexible.
This fall, the Ponemon Institute released its Fourth Annual study, Is Your Company Ready for a Big Data Breach? on data breach corporate preparedness, which revealed that 52 percent of companies experienced data breaches just this past year alone. This number has gradually increased from 33 percent in 2013 and is impacting all sizes of organizations across all industries. The growing threat has made cybersecurity a top priority for many companies, as they know it is no longer a matter of if, but when a breach will occur. The good news is that most companies (82 percent) have taken the first step in preparing for an incident by creating a data breach response plan. The bad news, however, is that these organizations are not confident in the effectiveness of their plan, with only 42 percent of respondents who said their plan was effective or very effective.
This lack of confidence highlights the need for companies to move beyond just a plan, to a dynamic program that considers the ever-changing world of cybersecurity. Over the past four years that Experian has partnered with the Ponemon Institute to conduct this study, several areas of preparedness where we expected to see growth have largely remained stagnant. This lack of advancement indicates a level of complacency that is certainly concerning.
Working on several hundred data breaches this year alone, we have noticed a few areas where complacency seems to be consistent across the board, and these areas are also consistent with the data from this year’s report. By understanding, as well as acting upon the following list of areas of complacency, companies can start more effectively preparing for a major security incident.
Keeping Up With Emerging Threats
The landscape of cybersecurity is continually evolving – from emerging risks such as ransomware to new regulations and case law. While breach response plans cannot reasonably be adjusted to meet every change, companies must take measures to ensure they have a process for updating their response plan that considers this dynamic environment and the new developments most likely to impact them.
As threats continue to evolve, I expected to see the number of companies updating their plan on a regular basis to grow. However, 38 percent of companies still have no set cadence for reviewing or updating their response plan. This is only a three-percent change from 2014, when 41 percent of respondents had no set cadence. Even more alarming, almost a third (29 percent) of companies surveyed have never reviewed or updated their plan.
To manage a response effectively and confidently, plans should be living documents that are frequently updated, and companies should consider a set schedule for reviewing and updating their plan. To assist in this process, they can ask outside cybersecurity experts for regular briefings on the latest legal and technical developments that should be incorporated. These experts are on the front lines of responding to major incidents and are able to provide real-world examples that should be taken into account. Complacency in this area can be extremely dangerous for companies, leaving them open to new security and financial risks.
Practicing Plans To Ensure Preparedness
Just as companies practice for natural disasters like fires, they should practice for cybersecurity threats. Practicing for a breach is a well-known tactic to ensure response plans are relevant and that the response team is ready to take action. Unfortunately, a third (32 percent) of respondents said their company does not practice its response plan. Of the companies that do not practice their plan, 76 percent don’t because it is too difficult to schedule and 64 percent say that it is not a priority.
On a positive note, while 68 percent of companies are taking the initiative to practice their response plan, the survey clearly showed that the definition of “practice” is not the same across organizations. In fact, the most common type of practice (73 percent) was a review of the plan by the person responsible for data breach response. Companies must move beyond reviewing the plan, to hosting drills. For companies looking for guidance on conducting a drill, Experian’s latest free Data Breach Response Guide provides an overview.
Gaining Third-Party Support Through Cyber Insurance
Lastly, despite a 28-percent increase in the number of organizations that have cyber insurance over the past four years, only 38 percent of companies have a data breach or cyber insurance policy. The largest increase of companies with insurance occurred between 2013 and 2014, from 10 percent to 26 percent, with only small increases during the years following.
A lack of cyber insurance, and the financial protection it provides, may be why 73 percent of respondents were not confident in their organization’s ability to minimize the financial and reputational consequences of a material breach. With the risk of litigation increasing and settlements from class action lawsuits on the rise, cyber insurance is a critical component of preparedness. Not only does it often cover legal defense costs and settlements, it provides access to experts who can help companies navigate a breach and manage the response.
If there is one thing the past four years have showed us, it is that data breaches are not going away. If anything, they are becoming more complicated. Companies cannot afford to let complacency set in. Almost all the companies we work with consider cybersecurity a top priority, and have invested time and resources into developing a plan. Taking the additional steps to ensure their plan is current, practiced and backed by third-party support can help them get the most out of the plan and respond to any security incident in an effective manner.