For as long as Experian Data Breach Response has been polling security and privacy professionals about data breach preparedness, respondents have been calling for higher involvement from boards, chairmen and CEOs. Our fourth annual study with the Ponemon Institute, “Is Your Company Ready for a Big Data Breach,” indicates C-suiters may not be listening — even though IT teams are increasingly asking for more oversight and involvement.
Hello, is this thing on?
The number of respondents who want their C-suites to be more involved rose 6 percent to 76 percent in this latest survey. Yet more than half (57 percent) said their company’s executives were not informed of or involved in data breach response plans, and only 40 percent said their leadership would want to know right away if a material breach occurred. Two thirds have boards that don’t understand specific security threats facing their organizations, and slightly less than three quarters said their boards would be willing to be responsible for successfully executing their incident response plan.
In fact, 16 percent of IT professionals feel that a lack of support from leadership stands in the way of their effective response to a data breach.
Ignorance is not bliss
The risks foran organization experiencing a data breach are ever-escalating. No matter how large or financially secure an organization thinks it is, no one can afford the costs of leadership that is ignorant of risks and uninformed about response plans. The impact of a data breach or other cybersecurity event can be devastating. An informed, engaged board and C-suite can help mitigate the damages of such an incident.
Ponemon’s research has shown that board involvement in data breach response reduces the per-record cost of a breach by $5.50. As of early December 2016, 957 reported breaches had exposed more than 35 million individual records, according to theIdentity Theft Resource Center. Six of those breaches exposed records in the seven-figure range and the largest compromised more than 5 million records, according to ITRC data.
According to IBM’s 2016 Cost of a Data Breach report, data breaches cost affected companies an average of $221 per exposed record. While a savings of $5.50 may seem like a small sum, when you do the math and multiply that cost by the vast number of records potentially exposed in a breach, the savings (or damage) can be monumental. Additionally, having a chief information security officer can further reduce the per-record cost by $5.60, Ponemon found. Other factors can also decrease the cost of a data breach, according to IBM’s report, including having an incident response plan and team in place.
What your C-suite should know and do
Securing the future of a company and ensuring its continued ability to grow and prosper are primary objectives for every board of directors and executive. Data breaches are a business risk that have the potential to inflict devastation on a company’s finances and reputation. Preventing one and preparing to respond to a data breach when it does occur should be high on the priority list for every C-suite.
To effectively support security and privacy teams in their efforts to manage data breach risks and mitigate impact, leadership should:
- Actively participate in creating an organization’s data breach response plan.
- Squelch the mindset that cybersecurity is the sole responsibility of the IT team, and instead treat it as an organization-wide priority.
- Ask for, review and act upon regular updates on cybersecurity and data breach preparedness.
- Understand and address regulatory compliance concerns when hiring outside vendors to supply cybersecurity and data breach response services.
- Hire a CISO if they don’t already have one, and request, receive and review regular communications from their CISO if one is already in place.
- Communicate with security and privacy teams about budgetary needs for cybersecurity, data breach preparedness and response.
- Fund cybersecurity across all departments.
Security professionals across virtually every industry are raising a red flag to their leadership that they need to pay more attention to cybersecurity and data breach response. C-suiters can’t afford to turn a deaf ear to these concerns. A company whose leadership is informed and engaged in data breach preparedness will be better able to mitigate the damage when a data breach does occur.
Legal Notice:The information you obtain herein is not, nor intended to be, legal advice. We try to provide quality information but make no claims, promises or guarantees about the accuracy, completeness or adequacy of the information contained. As legal advice must be tailored to the specific circumstances of each case and laws are constantly changing, nothing provided herein should be used as a substitute for the advice of competent legal counsel.