Experian’s Data Breach Preparedness Study: Increased Investments in Security Aren’t Stopping Breaches

March 18, 2020

While corporations today are more knowledgeable about security threats and prepared to respond to data breaches, there are key areas in which progress declined in 2019. Experian® released its seventh annual corporate preparedness study, Is Your Company Ready for a Big Data Breach?, revealing that cybercriminals may still be one step ahead of companies’ security practices and investments.

Conducted by the Ponemon Institute, the study surveyed 650 professionals in the United States — and new this year — 456 in EMEA.

Sixty-eight percent of respondents say their organization has put more resources toward security technologies to detect and respond quickly to a data breach. More than half of those surveyed (57 percent) also reported that they believe their data breach response plans are “very” or “highly” effective, up from 49 percent in 2018.

More organizations are also taking additional steps to prepare beyond their data breach response plan. These steps include:

Regularly reviewing physical security and access to confidential information (73 percent, up three percent)
Conducting background checks on new full-time employees and vendors (69 percent, up four percent)
Integrating data breach response into business continuity plans (56 percent, up four percent)
Subscribing to a dark web monitoring service (26 percent, up seven percent)

For the second year surveying respondents about the General Data Protection Regulation (GDPR), organizations have improved their ability to comply with GDPR with 54 percent of respondents saying they have a high or very high ability to comply with the regulation (an increase from 36 percent), while 50 percent of respondents have a high or very high effectiveness in complying with the data breach notification rules (an increase from 23 percent).

While more time and resources are being put toward preventing and preparing for a data breach, unfortunately, 63 percent of those surveyed reported they had a data breach involving more than 1,000 records, a 4 percent increase from 2018. There was a slight increase (one percent) of those who had data breaches more than five times (12 percent).

Consequently, organizations are struggling in the following areas:

Since 2017, respondents who say their organization is very confident or confident in their ability to deal with spear phishing attacks has declined from 31 percent to 23 percent. Sixty-nine percent of respondents had one or more spear phishing attacks in 2019.
Thirty-six percent of respondents say their organization had a ransomware attack last year with only 20 percent feeling confident in their ability to deal with it. The average ransom was $6,128 and 68 percent of respondents say it was paid.
From a reputation standpoint, only 23 percent of respondents say their organization is confident in its ability to minimize the financial and reputational consequences of a material data breach, while about a third (38 percent) believe they’re effective at doing what needs to be done following a data breach to prevent the loss of customers’ and business partners’ trust and confidence.
With more breaches being international in scope, only 34 percent of respondents say they are confident in their organization’s ability to respond to global breaches.
Two out of three (66 percent) respondents say their organization hasn’t reviewed or updated the plan since it was put into place or hasn’t set a specific time to review and update the plan.

“It’s a bit surprising to see that organizations have made great strides in certain areas, but not in others, especially when it comes to fighting rudimentary attacks, such as spear phishing or IoT and malware infiltration,” said Michael Bruemmer, vice president of Data Breach Resolution at Experian. “But, overall, with 94 percent of organizations having a data breach response plan in place, and a third deploying data protection program activities across the enterprise with C-level support, security postures have improved immensely. However, organizations shouldn’t let their guard down and should continue to invest in trainings, technology and external response partners.”

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.