TRAVERSE CITY, Mich.–Half of all organizations contacted in a new survey indicated they have had a data breach involving the loss or theft of more than 1,000 records containing sensitive or confidential information in the past two years, and most of those companies indicated they lack confidence they can prevent future breaches.
The new research released by the Ponemon Institute and sponsored by Experian Data Breach Resolution, surveyed 604 executives and staff employees who work primarily in privacy and compliance in the United States, and since 2013 has sought to track changes in how confident companies are in responding to a data breach. This year’s research also digs into what companies are specifically including in their data breach response plans to get to the root cause of why their confidence is lacking and the areas where they struggle to follow best practices.
Among the findings of the research report, titled Third Annual Study: Is Your Company Ready for a Big Data Breach:
- Of the 81% of respondents who say their company has a plan, only 34% say these plans are very effective. “Specifically, organizations aren’t taking into account the full breadth of procedures that need to be incorporated in the response plan and aren’t considering the wide variety of security incidents that can happen. The good news is some of the barriers to addressing those issues can be easily solved,” the report states.
-
Data breaches are more concerning than product recalls and lawsuits. A majority of
business leaders acknowledge the potential damage data breaches can cause to corporate reputation is significant. They ranked a data breach second only to poor customer service and ahead of product recalls, environmental incidents and publicized lawsuits. - Data breach preparedness sees increased awareness from senior leadership. Boards of directors, chairmen and CEOs have become more involved and informed in the past 12 months about their companies’ plans to deal with a possible data breach. In 2014, only 29% of respondents said their senior leadership were involved in data breach preparedness. This year, perhaps due to recent mega breaches, 39% of respondents say their boards, chairmen and CEOs are involved at a high level, the report found. “Most interesting is their participation in a high-level review of the data breach response plan in place increased from 45% to 54% of respondents.”
- Significant increase in response plans over three years. The research found more companies have a baseline data breach response plan in place. Since first conducting this study in 2013, the percentage of organizations that reported having a data breach response plan increased from 61% to 81%. “However, it is surprising that still not all companies are taking the basic step of developing a data breach response plan,” the report states.
- Many are still struggling in terms of feeling confident in their ability to secure data and manage a breach. Just 34% of respondents say their organizations’ data breach response plan is very effective or effective. “Despite increased security investments and incident response planning, when asked in detail about the preparedness of their organization, many senior executives are not confident in how they would handle a real-life issue,” the report says. “
- Data breach response plans are often missing crucial steps. “While it is encouraging to see more companies have a response plan in place, they are often lacking important considerations for the types of incidents that can happen and procedures that need to be incorporated,” the report states, noting that despite a rise in international data breaches and the number of companies operating overseas, more than a third (37%) of respondents do not address procedures for responding to a data breach involving an overseas location. The report further found that a quarter of respondents don’t review the incident response plans of their third-party partners, yet 44% rank third-party access to data as one of the biggest barriers to IT security’s response to a data breach.