Experian: More Than a Third of Companies are Unprepared to Respond to a Data Breach
Sixth annual corporate preparedness study also reveals that businesses lack confidence in preventing an attack.
Are companies ready for today's sophisticated cybercriminals and impact of data breaches? Experian's annual corporate preparedness study, Is Your Company Ready for a Big Data Breach?, reveals that progress has been made, but companies need to do better. Conducted by the Ponemon Institute, the findings reveal that only 36 percent of businesses are prepared to respond to a data breach and confidence levels to control growing threats is low.
The study identified these key areas for improvement:
• C-Suite Engagement: 49 percent of survey respondents say their executives are unknowledgeable about plans to deal with a data breach. A majority (81 percent) feel that increased participation and oversight from senior executives would make their response plan more effective.
• Security Processes: The biggest barrier to improving security is lack of visibility into end-user access of sensitive information (63 percent) while 60 percent say it's the proliferation of cloud services. Hindering improvement is investment in security technologies with a third not planning any investments in the next year.
• Employee Training: More than a quarter of organizations (27 percent) don't have a privacy/data protection awareness and training program for employees with access to sensitive or confidential information. Less than half of companies (47 percent) tackle spear phishing attacks.
• Response Plan: 42 percent of professionals surveyed say their company doesn't have a set time period for reviewing and updating their data breach response plan, and 23 percent haven't updated their plan since it was put into place. Less than half (46 percent) have procedures for responding to a data breach involving overseas locations.
"We'd like to see 100 percent of companies prepared and trained to handle any kind of data breach whether it's malware infiltration or ransomware. Prevention is the key, but if an incident occurs, swift management afterward will greatly minimize the damage," said Michael Bruemmer, vice president of Data Breach Resolution at Experian. "Organizations should implement a strong security posture staying up to date with the latest attack threats, engage in pre-breach agreements with security partners and hold a practice drill every year with a dedicated response team."
Lack of preparation leads to low confidence levels
Executives still feel challenged and concerned about being fully prepared for a data breach. Only 52 percent rated their plans as very effective, just a slight increase over 2017 (49 percent). When it comes to responding to a data breach involving business confidential information and intellectual property, only 36 percent feel prepared to respond. More than half (59 percent) aren't confident that they could handle ransomware.
Consequently, businesses continue to struggle with preventing security incidents. The study found that 35 percent had two to three data breaches in the past two years, and approximately 1 out of 10 companies (11 percent) experienced more than five data breach incidents in this timeframe. Among the respondents who had a data breach, 43 percent were global in nature. The report further recognized that businesses are struggling to comply with the General Data Protection Regulation (GDPR) — only 36 percent are following the rule.
After a data breach occurs, companies feel even less confident about managing the aftermath:
• Less than a quarter (21 percent) feel confident in their ability to minimize the financial and reputational consequences.
• Only 4 in 10 say they're effective at doing what needs to be done to prevent the loss of customers and keep business partners' trust and confidence after a breach.
• 53 percent don't have a cyber insurance policy that can help recoup expenses and cover damages.