Companies complacent about data breach preparedness

The good news is that most organizations now have a data breach preparedness plan. But the bad news that many don't review, update or practice it, according to a new study.

data breach primary
Credit: Thinkstock

The likelihood that companies will experience a security incident continue to rise every year. While most organizations have put a data breach preparedness plan in place to combat such incidents, most executives aren't updating or practicing the plan regularly, according to study released earlier this month.

"When it comes to managing a data breach, having a response plan is simply not the same as being prepared," Michael Bruemmer, vice president at Experian Data Breach Resolution (which sponsored the study) said in a statement. "Unfortunately many companies are simply checking the box on this security tactic. Developing a plan is the first step, but preparedness must be considered an ongoing process, with regular reviews of the plan and practice drills."

The Fourth Annual Study: Is Your Company Ready for a Big Data Breach? was conducted by security research firm Ponemon Institute on behalf of Experian Data Breach Resolution. In August , Ponemon surveyed 619 executives and staff employees who work primarily in privacy, compliance and IT security in the U.S.

[ Related: 8 ingredients of an effective disaster recovery plan ]

This year's study found that the number of organizations with a data breach preparedness plan reached 86 percent in 2016, up from 61 percent in 2013. To be sure, Ponemon found a number of positive signs that companies are increasing their preparedness for data breaches:

  • 58 percent of respondents say their organizations have increased investment in security technologies in the past 12 months with an eye to detecting and quickly responding to data breaches. That's up from 48 percent in 2014.
  • 61 percent of respondents say their organizations have a privacy/data protection awareness and training program in place for employees and other stakeholders who have access to sensitive or confidential personal information. That's up from 44 percent in 2013.
  • Companies have come around to the idea that after a breach occurs, they need to take action to keep customers and maintain their reputation. 71 percent of respondents say the best approach is providing free identity theft protection and credit monitoring services, 45 percent say gift cards and 40 percent say discounts on products or services.

Are you really prepared for disaster?

But even as organizations are paying more attention to data breach preparedness, most aren't giving it the attention needed to execute their plans successfully when the time comes. Ponemon found that 38 percent of organizations have no set time period for reviewing and updating their plan and 29 percent have not reviewed or updated their plan since it was first put in place. Only 27 percent of organizations surveyed felt confident in their ability to minimize the financial and reputational consequences of a breach, and 31 percent lacked confidence in dealing with an international incident.

[ Related: Reviewing incident response plans for data risk preparedness ]

For instance, in April, Symantec released its 2016 Internet Security Threat Report, which found that ransomware increased by 35 percent in 2015. In particular, much of that increase has been in recent crypto-ransomware variants, which encrypt files on the victims' computers using strong encryption and then demand a ransom for decryption.

Ponemon's study found that 56 percent of organizations are not confident they could deal with a ransomware incident, and only 9 percent of respondents said they have considered under what circumstances they would pay to resolve a ransomware incident.

More reasons to worry

Other causes for concern from the study include the following:

  • Of the 26 percent of organizations that don't practice their plan, 64 percent said the reason they don't practice it is that it's not a priority.
  • Only 38 percent of companies surveyed said they have a data breach or cyber insurance policy. Of those that said they do not have a policy, 40 percent said they have no plans to purchase one.
  • Only 46 percent of respondents have integrated response plans into their business continuity plans, and only 12 percent meet with law enforcement or state regulators in advance of an incident.
  • Only 39 percent of organizations surveyed practice their plan at least twice a year.

"Investing in breach preparedness is like planning for a natural disaster," Bruemmer says. "You hope it will never happen, but just in case, you invest time and resources in a plan so your company can survive the storm."

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Download the CIO Nov/Dec 2016 Digital Magazine
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.