Our second annual data breach preparedness study, Is Your Company Ready for a Big Breach?, conducted by the Ponemon Institute, reveals good news and bad news for businesses concerned with data security—and that should be all business. First, the good news: more companies are acting to address data breach risks.
- The majority (73%) of organizations now have a data breach response plan in place – 12 percent more than in 2012.
- And nearly half (48%) have boosted investment in security technologies in the past 12 months, aiming to better detect and respond to a data breach.
Now, for the not-so-good news: they’re not doing enough, and don’t have confidence in the effectiveness of their current measures.
Survey results illustrate that not everyone is taking all the necessary steps to prepare for a data breach:
- A majority of 78 percent don’t regularly update their data breach response plans to address evolving threats.
- About two-thirds don’t have trained customer service staff who can respond to customer questions, concerns or complaints if a breach occurs.
- Only 29 percent of companies involve the CEO in dealing with security risks.
- Nearly three-quarters don’t have cyber insurance policies.
- Just 44 percent conducted a technical impact assessment to understand potential fallout from an incident.
- Less than a third had SIEM systems to facilitate early detection of an incident.
- 66 percent lack Mobile Device Management (MDM) to protect sensitive information from being pushed to mobile devices.
Those who have made provisions don’t necessarily feel more secure because of them:
- 62 percent don’t feel their organizations are prepared to respond to a data breach.
- 49 percent didn’t feel they were prepared to respond to the theft of information that would require notification to victims and regulators.
- Just a quarter were confident they could communicate about a breach and manage customer needs.
- 40 percent worry about the potential for a third party losing their data.
- Insider threats concern 56 percent, with 43 percent citing BYOD and cloud services as their top two internal threat concerns.
As to post-breach response, we are pleased to see however that companies are well aware of the importance of providing customers involved in a breach with identity theft protection products and access to a call center; in fact, they cited those two as the most important services companies could provide post-breach.
Many of the concerns companies expressed over data breach preparedness and response – and in particular, worries over customer communication and regulatory compliance – can be addressed by preparing a response plan and practicing the plan on an ongoing basis. It’s also important to secure external partners such as legal counsel and a public relations firm, and make a selection of a quality identity protection product to offer affected customers ahead of time. When a breach occurs, the complete response team and moving parts are ready to allow for a quick and smooth response.