Amidst today’s threat landscape, it is a positive sign that businesses have acknowledged data breaches as a corporate issue they must prepare for. Research shows business leaders are now more aware of the detrimental impact a data breach has on brand reputation. However – after reviewing three years of survey data on how executives are preparing for a data breach – it is surprising to report that many are still struggling to feel confident in their ability to manage a breach and execute a response plan.
According to Experian Data Breach Resolution’s Third Annual Study: Is Your Company Ready for a Big Data Breach?, 81 percent of companies now have a baseline data breach response plan in place, but only 34 percent of executives view those plans as effective. This can be largely attributed to significant holes in the response plans in terms of the types of data breaches they should prepare for.
Based on the survey of 604 executives and staff employees who work in privacy and compliance fields in the U.S., the following slideshow examines the current state of data breach preparedness in corporate America and steps security decision-makers can take to improve their incident response plans.
Is Your Company Ready for a Big Data Breach?
Click through for more on the current state of data breach preparedness, as well as steps security decision-makers can take to improve their incident response plans, as identified by Michael Bruemmer, vice president, Experian Data Breach Resolution.
Data Breaches Top Concern
Data breaches are more concerning than product recalls and lawsuits.
A majority of business leaders acknowledge the significant potential damage data breaches can cause to a corporate reputation. They ranked a data breach second only to poor customer service and ahead of product recalls, environmental incidents and publicized lawsuits.
This has resulted in increased awareness from senior leadership, with 39 percent of executives indicating their boards, chairmen and CEOs are involved at a high level in data breach preparedness. This is up from 29 percent in 2014. Businesses need to continue down this path by ensuring the security discussion starts at the board level.
Confidence in Plan Effectiveness Lacking
Executives lack confidence in the effectiveness of their data breach response plans.
Although more companies have increased security investments and incident response planning, when asked about preparedness, many senior executives are not confident in how they would handle a real-life issue. Of the 81 percent of companies that report having a data breach response plan, only 34 percent believe they would be effective. Additionally, only 28 percent are confident in their ability to minimize the financial and reputational consequences of a material breach.
To help address this issue, security executives should ensure that data breach response plans are regularly audited and kept current with changes in the risks and threats facing a company. Only 25 percent of respondents say their organizations update the data breach plan once or twice each year. Thirty-five percent of companies admit their data breach plan has not been updated or reviewed since the plan was put in place.
The Human Factor
Companies are not addressing the human factor of a data breach.
Despite human error being the leading cause of data breaches, employee security training is lacking. Half of survey respondents do not provide data protection training as part of new employee on-boarding, and amongst companies that do provide employee security training, a majority only conduct it once.
As a best practice, companies should ensure they provide regular security and data privacy awareness training for employees. The specifics covered in these trainings should be regularly reviewed and updated to ensure their programs address the areas of greatest risk to the organization.
More organizations have cyber insurance policies and are working with third parties in data breach response.
Thirty-three percent of respondents say their company has a contract in place with a third-party firm to help prepare and respond to a data breach or security incident, up from 28 percent in 2014. This primarily includes outside legal counsel, IT security providers and data breach resolution providers. The cyber insurance industry is also booming – 35 percent now have a policy in place, more than triple the number of companies who had a policy in 2013.
Many security professionals agree that having a cyber insurance policy in place is a valuable part of any company’s risk mitigation strategy. Companies should consider purchasing a policy to strengthen their data breach response plans and carefully evaluate third-party partners. Ensure partners are familiar with your industry, can engage quickly and clearly understand their role in a response.
The Good News
The good news: Barriers to improving data breach response can easily be solved.
While 83 percent of companies stated that conducting fire drills would make their response plans more effective, less than half of the respondents report practicing and auditing their plan on an annual basis. This could easily be resolved as difficulty scheduling is the cited as the top reason why companies don’t practice their response plan.
Other relatively straight-forward steps for improving data breach response plans include ensuring contact information for all members of the data breach response team is provided and outlining procedures for communications with business partners if a breach occurs (61 percent currently don’t include either of these considerations in their response plans).