Breach costs rise, but few organizations are ready to prevent them
Resolving the cost of data breaches continues to rise, according to results of the fifth annual study of data breaches across multiple industries, including healthcare, by the Ponemon Institute.
The average cost of recovering from a breach now stands at $3.62 million, according to data from 2017, the research organization found.
With sponsorship from Experian Data Breach Resolution, Ponemon surveyed 624 executives and staff employees working in privacy, compliance and information technology security in the United States.
Many organizations still are not ready to handle a breach; 51 percent of respondents to a survey do not rate their breach response plans as effective, Ponemon found. Only 19 percent of respondents said their organization’s data breach response plan is highly effective.
For example, nearly 90 percent of respondents indicate their organization has a data breach response plan, but two-thirds don’t schedule time to update or review the plan.
That’s a problem, particularly for the nation’s healthcare industry, which is one the most targeted sectors for hackers. Results from the Ponemon study found that 65 percent of breach victims lose trust in a breached organization, and almost one-third take steps to terminate the relationship.
Good governance in data breach preparedness is still lacking, according to Ponemon. “Most boards of directors, chairmen and CEOs are not actively engaged and avoid responsibility,” it contends. Fewer than half of surveyed respondents say C-suite executives are informed of a breach, and only 39 percent of boards of directors are informed and knowledgeable about their organization’s plan to respond to a breach.
Further, very few executives and board members participate in a high-level review of their organization’s data protection and privacy practices. Many respondents say less than half of their C-suite executives want to be notified if a breach occurs, and only 15 percent of respondents believe their board is willing to assume responsibility for executing the incident response plan.
When a breach occurs, organizations typically offer one year of credit monitoring services and identity theft protection to affected individuals, but such protection needs to be provided for more than a year, according to the survey respondents.
One-half of respondents believe protection should cover two or three years, and about one-third say protection should last four to seven years. Regardless of the term or protection, offering it is the best approach to keep customers and maintain the organization’s reputation, more than 70 percent of respondents agree.
The complete report from Ponemon is available here.