Data breach preparedness study: Good news, bad news and an empowering conclusion

September 30, 2014 by Michael Bruemmer

Our second annual data breach preparedness study, Is Your Company Ready for a Big Breach?, conducted by the Ponemon Institute, reveals good news and bad news for businesses concerned with data security—and that should be all business. First, the good news: more companies are acting to address data breach risks.

  • The majority (73%) of organizations now have a data breach response plan in place – 12 percent more than in 2012.
  • And nearly half (48%) have boosted investment in security technologies in the past 12 months, aiming to better detect and respond to a data breach.

Now, for the not-so-good news: they’re not doing enough, and don’t have confidence in the effectiveness of their current measures.

Survey results illustrate that not everyone is taking all the necessary steps to prepare for a data breach:

  • A majority of 78 percent don’t regularly update their data breach response plans to address evolving threats.
  • About two-thirds don’t have trained customer service staff who can respond to customer questions, concerns or complaints if a breach occurs.
  • Only 29 percent of companies involve the CEO in dealing with security risks.
  • Nearly three-quarters don’t have cyber insurance policies.
  • Just 44 percent conducted a technical impact assessment to understand potential fallout from an incident.
  • Less than a third had SIEM systems to facilitate early detection of an incident.
  • 66 percent lack Mobile Device Management (MDM) to protect sensitive information from being pushed to mobile devices.

Those who have made provisions don’t necessarily feel more secure because of them:

  • 62 percent don’t feel their organizations are prepared to respond to a data breach.
  • 49 percent didn’t feel they were prepared to respond to the theft of information that would require notification to victims and regulators.
  • Just a quarter were confident they could communicate about a breach and manage customer needs.
  • 40 percent worry about the potential for a third party losing their data.
  • Insider threats concern 56 percent, with 43 percent citing BYOD and cloud services as their top two internal threat concerns.

As to post-breach response, we are pleased to see however that companies are well aware of the importance of providing customers involved in a breach with identity theft protection products and access to a call center; in fact, they cited those two as the most important services companies could provide post-breach.

Many of the concerns companies expressed over data breach preparedness and response – and in particular, worries over customer communication and regulatory compliance – can be addressed by preparing a response plan and practicing the plan on an ongoing basis.  It’s also important to secure external partners such as legal counsel and a public relations firm, and make a selection of a quality identity protection product to offer affected customers ahead of time.  When a breach occurs, the complete response team and moving parts are ready to allow for a quick and smooth response.