For years, organizations have been warned that it isn’t if you’ll be the victim of a data breach, but when. That’s still the case—you must always be prepared for that worst-case scenario—but some organizations seem to be hit with a lot of data breaches, while others stay breach-free for a year or more. According to the Experian and Ponemon Institute report, Sixth Annual Study: Is Your Company Ready for a Big Data Breach?, 29 percent of those surveyed self-reported that they were not breached in 2018, compared to 59 percent who said they dealt with at least one breach. What lessons can we learn from those companies that avoided a data breach last year?
They Had a Highly Effective Data Breach Plan
One commonality among the companies that did not report a breach in 2018 was the effectiveness of their data breach plan. Having a plan in place is already going to put you a step ahead, but the respondents who rated their plan as highly effective were more likely to report they had no data breaches last year.
An effective data breach plan will include:
- Determining your vulnerability. Some industries are naturally more vulnerable to a data breach than others, like healthcare and banking, simply because of the sensitive information they hold. But vulnerability also includes the visibility of the endpoints connected to the network and the regularity of basic security steps like patching software.
- Recognizing a data breach when you see one. The term data breach gets tossed around a lot, but not every cyber incident is a breach. Knowing what constitutes a data breach goes a long way in preventing one.
- Knowing your data. Understanding what is classified as sensitive data and where that is collected and stored will allow you to better protect those files.
- Having a team in place. Putting together a data breach response team that meets regularly to discuss action plans and their roles can actually help prevent a breach. These are the folks who know how to limit damage after it happens, so they are often aware of where the organization’s vulnerabilities are.
The Boy Scout motto holds true here. Being prepared with an effective data breach plan is one part of the preparedness necessary to prevent a data breach. Overall, the report found that those who feel they have taken the steps to prepare for a data breach didn’t have a breach in 2018. These steps include:
- Reviewing physical security and access to confidential information
- Conducting third-party risk assessments
- Integrating data breach response into their business continuity plans
- Creating back up plans like a “standby website” in case of downtime
Engaged Leadership and Greater Investment
According to the report, 54 percent of organizations without a data breach said, “their C-suite executives are informed about how their privacy and IT security functions plan to deal with a data breach.” Unfortunately, organizations are less likely to have an informed board of directors, and this could impact the risk of a data breach. The report found only 39 percent of organizations with cyber-aware boards of directors avoided a data breach.
C-level executives and boards of directors are those responsible for budgets and overseeing cybersecurity staffing. The more involved they are in data breach plans and understand what is at risk—lost data and high fines—the more they’ll understand the need to invest in security systems and policies.
In fact, the study found that “73 percent of respondents say their organizations increased their investment in technologies specifically to better detect and respond quickly to a data breach,” helping them avoid becoming a victim of a breach.
Improving Data Privacy and Awareness Through Training
Data privacy regulations have created a heightened sense of awareness surrounding data protection. These regulations mean that more organizations are required to develop systems designed to keep sensitive data secure and improve their response plans to they can report a data breach in a short timeframe. Employee awareness training on these issues is essential, since they are the ones tasked with keeping data secured. So, it is not surprising that 79 percent of organizations that offered security and data privacy awareness training and education evaded a data breach, while only 21 percent of those companies without such training managed to escape being breached.
Overall data breach preparedness involves sharing information about vulnerabilities and cyber incidents. In fact, the report found that “51 percent of respondents say their organization participates or plans to participate in an initiative or program for sharing information with government and industry peers about data breaches and incident response.” Thus, only 27 percent of organizations that participate in a program for sharing information with government and industry peers about data breaches and incident response admitted to a breach while 53 percent of those organizations who do not participate in incident sharing programs were victims last year.
Responding to an International Breach
Many companies are global companies, either doing business through international ecommerce sites or having physical locations around the world. You are just as likely to be breached offshore as you are at home. Preparedness is necessary at a global scale. Organizations that have an incident response plan in place to mitigate an international breach reported are less likely to have a data breach.
Being prepared and taking positive steps for corporate engagement at all levels aren’t going to prevent data breaches. It is still an “if, not when” situation. However, following the example of these organizations that avoided a data breach in 2018 could improve your chances in keeping your data protected from malicious actors.
For more information, read the study here.