The importance of good governance in data breach preparedness

Published: March 13, 2019 by Michael Bruemmer

When it comes to preventing data breaches and hacks, effective cybersecurity starts at the top, according to findings revealed in Experian’s “Sixth Annual Study: Is Your Company Ready for a Big Data Breach?”

For the first time, the annual study includes a special analysis to scrutinize the behavior of leaders at those companies that successfully avoided any significant data breach in the past two years – despite a staggering increase in the number of records hijacked during 2018. The study’s researchers found that one of the seven key elements at organizations that manage to keep their data safe was the involvement of C-suite executives and even members of the corporate board in cybersecurity prevention and response.

A crucial takeaway from the study: leadership matters. The ability of any business operation to adapt and respond to changing threats depends on its senior managers and owners making change a priority, setting meaningful goals for managers, and monitoring the progress. Meaningful improvements in companywide behavior and culture rarely take root when senior executives provide little more than lip service to support the effort.

Why senior executives and board members are scrutinizing data safety is clear: Ponemon researchers estimated that a single data breach can cost a business more than $3 million. The study found that 60 percent of businesses surveyed had a data breach during 2018. Of those, three-quarters were hit more than once.

In addition, cyber insurance policies mostly focus on providing coverage for external attacks on the business from criminals. Only about one-third of those companies that carry cyber insurance said they have coverage for incidents arising from system or business process failures, or those caused by human error, mistakes and negligence. This limits the ability of breached businesses to recover their costs of responding to an attack, making prevention well worth the cost.

Beyond the initial financial expenses, any organization victimized by data thieves faces a significant threat to its reputation. This includes the organization’s speed and responsiveness in notifying customers, business partners and any other potential victims, complying with legal requirements, and the quality of that response to helping victims cope with the ongoing potential risk of having their personal data abused by criminals.

All of this explains why cybersecurity is getting more attention from top managers. At companies that avoided breaches, the study found that 54 percent of executives and 39 percent of directors were knowledgeable and engaged in planning data breach responses. At companies that were breached, 49 percent of executives and 32 percent of board members were involved with cybersecurity response.

While the level of executive involvement is encouraging, with nearly half of executives and close to a third of directors failing to engage with data breach responses, there’s still clearly room for improvement.

And even in those cases where leaders and board members are involved in cybersecurity, their emphasis focuses on reaction to breaches rather than prevention – and even that engagement is limited. Researchers found that just 49 percent of executives wanted to know immediately about a cyber incident, while 35 percent of respondents with a knowledgeable board said their directors want to be immediately notified about a breach.

Participation in prevention was even lower, with about a third of executives familiar with specific security threats against their companies, and less than a quarter actively reviewing the details of their data breach response plans. Board members were even less aware, and their overall knowledge of breach response plans dropped during 2018 compared with 2017. IT and security professionals told researchers that when executives and board members take an active role in cybersecurity oversight and preparedness, data breach response plans become more effective.

Only 37 percent of respondents say the senior leadership and 35 percent of board members understand the specific security threats facing their organization. Only 22 percent of respondents say the C-suite regularly participates in detailed reviews of their data breach response plan, followed by a mere 10 percent of board members.

For the response plan to be effective, however, leadership participation is vital. IT and security professionals told researchers they believe when their leadership takes an active role in cybersecurity oversight and preparedness, breach response plans are more effective. One reason that’s necessary is because all security-related efforts, such as budgeting and staffing, must eventually be approved by company leadership.

In terms of reputational risk after a breach, the number of respondents who said they want to see services such as credit monitoring and identity theft protection provided for four years or more increased during 2018 – up to 53 percent from 51 percent. That included 18 percent of respondents who recommend monitoring and protection for 8 years or longer.

One good reason for spending the time and effort to provide several years of credit and data protection is that 75 percent of all respondents rated offering those free services as the single best method for retaining customers and protecting the organization’s reputation after a breach. That approach far outdistanced any other, including discounts on services, free gift cards and access to a call center for information.