Report: Organizations make incremental strides in data breach preparedness
Data breaches at organizations both large and small have become so common in recent years that the mantra among cybersecurity professionals is that it’s not a matter of if but rather when your business will be victimized. Whether a breach is the result of a brute force attack, social engineering or sheer carelessness, there is a multitude of ways that sensitive data can be compromised by bad actors, which is why the focus in many organizations today has moved from preventing breaches to mitigating their impacts.
However, there’s no one-size-fits-all approach for every business and the ability of companies to detect and respond to breaches varies widely. But in sharp contrast to the lackadaisical attitude many in the corporate world had towards the issue in prior years, headline-grabbing incidents in more recent times have forced an ever-increasing number of organizations to put formal data breach response plans in place. In fact, according to the “Sixth Annual Study: Is Your Company Ready for a Big Data Breach,” which was conducted by the Ponemon Institute and sponsored by Experian Data Breach Resolution, 92 percent of organizations surveyed reported that they had a data breach response plan.
Although the overwhelming majority of businesses have a plan, their actual ability to mitigate the impact of breach still leaves a lot to be desired. Of those organizations that did have a plan in place, over a third of those surveyed said they still weren’t prepared to respond. Additionally, 42 percent reported that there was no follow up or scheduled time to update their breach response plans and 23 percent said that they had not updated their current data breach plan since it was originally put into place.
The study also found that data breaches are increasing among organizations. Fifty-nine percent of those surveyed said their organization suffered a breach last year, a slight increase from 56 percent in 2017, and 73 percent of organizations reported suffering multiple breaches. Another 43 percent of respondents said their companies’ data breaches were global in nature, an increase from 39 percent in last year’s edition of the study.
Breach Preparedness on the Upswing
Despite the level of unpreparedness that still exists among many businesses, Michael Bruemmer, VP of Data Breach Resolution at Experian, says he is encouraged by the study’s findings as they continue to show steady improvement year-over-year for organizations by and large. For example, 52 percent of respondents in this year’s study believed their data breach response to be “very effective” compared to only 42 percent of companies polled just two years ago. In addition, 47 percent of organizations said that they now have a data breach or cyber insurance policy, which is up from 38 percent in 2016.
“There is better preparation, whether it is having a having a plan and updating the plan, whether it is security and privacy training for employees or making sure you have a cyber insurance policy and improving that,” Bruemmer adds. “Keep in mind – even with further preparedness – it’s still a game of cat and mouse. The people that are intending to break through your security and get inside are getting smarter, more complex and more aggressive every day. What was good for your company in 2018 is not going to be necessarily just as good in 2019. It’s always a situation where continuous improvement wins the day.”
Awareness and Training Improve
Given that 84 percent of organizations believe employee negligence has a significant impact on their security posture, the study also found that more organizations are providing increased training for their workforce. According to the study:
- 73 percent of organizations have privacy/data protection awareness and training programs for employees and other stakeholders, up from 61 percent in 2016;
- 60 percent said theses training and awareness programs are regularly reviewed and updated compared to 50 percent two years ago;
- And, 47 percent reported that their businesses provide training to their employees on how to recognize and minimize spear phishing incidents.
With the majority of breaches still being caused by employee negligence, Bruemmer says the fact that still over a quarter of businesses don’t provide any kind of privacy/data protection training is concerning.
Another area where Bruemmer said businesses need to up their game from a training aspect is around ransomware and spear phishing. As it currently stands, only 21 percent of organizations say they are “very confident” in their ability to mitigate ransomware attacks and just 25 percent report that same confidence level in fending off spear phishing attacks.
“Companies that conduct regular ransomware training or spear phishing training in addition to their overall security training program seem to be much better prepared,” Bruemmer says. “Secondarily, there are companies that are reinforcing training – for employees don’t keep up with their own individual training programs or complete things on time – by stipulating that workers may not receive performance bonuses or weekly updates and access. Companies are reinforcing the message that training is important but there are actually some concrete steps they are taking versus a slap on the hand and saying, ‘Oh, it’s too bad you haven’t done your training, you’ll catch up next time.’”
Lack of C-suite Involvement Continues
Surprisingly, there remains a significant portion of senior executives that are uninvolved and uniformed about their organization’s data breach response plans. Only 37 percent of those surveyed said their senior leadership teams understand the cybersecurity threats they are facing and just 35 percent believed that their board understands those threats. Additionally, less than a quarter (22 percent) of respondents said the C-suite regularly participates in detailed reviews of the organization’s data breach response plan and only 10 percent said that their board participates. This is despite the fact that data breaches (27 percent) ranked a close second to poor customer service (29 percent) when study participants were asked what events or issues would have an impact on their reputation.
According to Bruemmer, there seems to be a disconnect between what many executives say publicly with regards to cybersecurity and what they actually do within their companies.
“Companies that don’t have security and privacy as one of their top three priorities baffle me. There are surveys that have been done by major publications that ask the question, ‘what worries you about your plans for next year or what things could disrupt you from executing your strategic direction?’ Most CEOs or board chairs will say a major cybersecurity incident is something that they worry about but it doesn’t always translate from that concern to actually implementing and making it a priority,” he says. “We find that companies that are most prepared and have a plan are companies that take it seriously at the board and C-suite level. They walk the talk and ensure that everyone from management to frontline employees have that same level of priority.”
For more information or to download a full copy of the study, click here.
About the Author:
Joel Griffin is the Editor of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].