Study: Organizations better prepared, but not more practiced in responding to data breaches
Experian Data Breach Resolution released the findings of its second annual study on data breach preparedness on Wednesday, the results of which appeared to be mixed. The study, which was conducted by the Ponemon Institute, surveyed 567 executives in the U.S. and found that 73 percent of companies now have data breach response plans in place, compared to 61 percent of organizations polled in 2013. Additionally, 72 percent of respondents indicated that they have dedicated data breach response teams, which is slightly higher than the 67 percent of organizations which said they had them in last year’s study.
However, despite the fact that more organizations appear to be taking the threat of data breaches more seriously, relatively few have actually practiced these plans in a meaningful way as the study found that only 30 percent of executives believed their companies were “effective” or “very effective” in developing and executing a data breach plan.
“Confidence among senior executives is low as 68 percent of the respondents still felt unprepared for a breach and 30 percent actually said their data breach response plan was ineffective,” said Michael Bruemmer, vice president, Experian Data Breach Resolution group. “If I had to pick one thing that really stood out it is that less than 25 percent were confident they could communicate and manage consumer needs, which to me is very enlightening given how critical it is in not only complying with the legal notification requirements, but more importantly, trying to protect your brand.”
This lack of confidence in being able to communicate with customers in the event of a breach could also be traced back to the fact that only 34 percent of respondents indicated that their organizations had provided training to their customer service personnel on how to respond to questions about a data breach incident. On the other hand, the study found that 54 percent of companies are providing privacy and data protection training to their employees, comparted to 44 percent in last year’s survey.
“I think the most cost-effective way to help yourself in terms of data breach preparedness is for a company or an organization to invest in job-specific security and privacy training. The reason I say that is because 80 percent of the breaches we work on had a root cause in employee negligence,” said Bruemmer. “Oftentimes it’s not the malware, it’s not the hackers or having a virus penetrate your system, but something along the lines of administrative credentials being lost, a laptop is left unattended, a USB key is lost, or the door to the network operations centers wasn’t locked and someone was able to walk-in and plant a virus. The viruses, malware and state-sponsored hackers – they make great headlines – but that’s not the root cause of data breaches.”
With the number of high-profile data breaches that have occurred just in the last the last few weeks, such as JPMorgan and Home Depot, it should come as no surprise that the frequency of data breaches has increased, according to the study. In fact, 43 percent of executives said their companies had experienced a breach in the last 12 months, compared to 33 percent in 2013. Sixty percent of respondents said that their company has experienced more than one data breach in the past two years.
“Ironically, 17 percent of the executives said they weren’t sure if had had an incident or not, which I found somewhat surprising given that they are the ones in the executive chair,” said Bruemmer.
More than three-quarters of those surveyed (77 percent) believed they needed to do more practice and “live fire” exercises around responding to potential breaches, said Bruemmer, adding that this is something that his firm has always recommended that companies do to better prepare themselves for what is almost an inevitability in today’s cyber threat landscape.
The study also found that there are more technology resources being devoted to thwarting breaches with 48 percent of executives saying they had increased spending on cybersecurity technology over the past 12 months. In addition, the number of organizations purchasing cyber insurance policies more than doubled with 26 percent of executives saying their company had bought a policy compared with just 10 percent that said they had done so in 2013.
Despite the management upheaval that can come about following a data breach, only 29 percent of respondents said that their company’s board of directors, chairman and CEO are informed and involved in the data breach response planning process.
“The good companies that we work with from the board level to the C-suite, they’re involved in the prioritization of a good, overall risk management strategy and they have appointed, in most cases, a chief information security officer, chief privacy officer, CIO or CTO,” explained Bruemmer. “What they will do is as part of that overall risk management strategy, they’re going to ensure that not only is a plan created and practiced, but there is delegated authority for the team responding to the data breach.”
According to the executives surveyed, the two most important things to have for consumers in the aftermath of a data breach is a call center where they can have their questions answered followed by a real identity theft protection product. Bruemmer said that his organization also recommends that companies write a sincere apology letters to their customers.
“Consumers ask three basic questions all the time; what happened, why did it happen and what do I do to protect myself going forward? It never hurts to say, ‘hey, I’m really sorry that this occurred,’” said Bruemmer. “Keep in mind that there are a couple of states that have specific regulations where you can’t call out certain areas, but the basic premise is write a sincere letter as though you are the consumer reading that yourself and what you would like to hear answering those three questions. It is not a compliance exercise. The average cost of a data breach now is about $5.4 million per incident and that’s across all sizes of businesses and $3.2 million of that figure is loss of brand reputation or revenue. A very good data breach response is going to build that brand reputation back and avoid consumers going to your competitor or walking away altogether.”