Most organizations lack confidence in data security measures
Issues around data security have taken center stage at most organizations, but a new study finds that most organizations fail to update their security plans and lack confidence in the ability of their security measures to protect them from attack.
The fourth annual IT security study by the Ponemon Institute shows that “data breach preparedness certainly is on companies’ radar, and having a response plan in place is par for the course. The number of organizations with a plan increased from 61 percent in 2013 to 86 percent in 2016. However, despite this strong majority of companies that now have a response plan in place, 38 percent of organizations surveyed have no set time period for reviewing and updating it, and 29 percent have not reviewed or updated their plan since it was put in place.”
The study set out to discover how prepared senior-level executives feel their companies are to respond to a data breach. The report, which was sponsored by Experian Data Breach Resolution, revealed that “while more companies have data breach incident response plans in place, they still lack confidence and are failing to take crucial steps as part of the preparedness process, preventing them from being truly ready for a real life data breach incident.”
The study, “Is Your Company Ready for a Big Data Breach?” also revealed that only 27 percent of organizations surveyed are confident in their ability to minimize the financial and reputational consequences of a breach, and 31 percent lack confidence in dealing with an international incident.
“When it comes to managing a data breach, having a response plan is simply not the same as being prepared,” says Michael Bruemmer, vice president at Experian Data Breach Resolution. “Unfortunately, many companies are simply checking the box on this security tactic. Developing a plan is the first step, but preparedness must be considered an ongoing process, with regular reviews of the plan and practice drills.” Bruemmer says the lack of planning is especially troublesome when considering the rise of new threats, such as ransomware.
“In fact, the study showed that 56 percent of surveyed organizations are not confident that they could deal with a ransomware incident. Additionally, only 9 percent of survey respondents have determined under what circumstances they would pay to resolve a ransomware incident,” Bruemmer noted.
Additional key study findings further demonstrate the divide between plan creation and true data breach preparedness:
The good: Companies show an increase in the level of preparedness
58 percent of surveyed organizations (compared with 48 percent in 2014) have increased their investment in security technologies in the past 12 months to be able to detect and respond quickly to a data breach.
61 percent of surveyed organizations (compared with 44% in 2013) have a privacy/data protection awareness and training program for employees and other stakeholders who have access to sensitive or confidential personal information.
Companies understand that they need to take action after a breach occurs to keep customers and maintain their reputation. To do so, those surveyed believe the best approaches are providing free identity theft protection and credit monitoring services (71 percent), gift cards (45 percent), and discounts on products or services (40 percent).
The bad: Missteps and signs of complacency
Among those organizations surveyed that do not practice their plan (26 percent), a majority (64 percent) don’t practice because it is not a priority.
Only 38 percent of companies surveyed have a data breach or cyber insurance policy. Of those that do not have such a policy, 40 percent have no plans to purchase one.
Less than half (46 percent) of survey respondents have integrated response plans into their business continuity plans, and only 12% meet with law enforcement or state regulators in advance of an incident.
Only 39 percent of organizations surveyed practice their plan at least twice a year.