International data breaches are increasing and organizations are unprepared

Published: March 26, 2019 by Michael Bruemmer

The increase in the severity of data breaches, the spread of global attacks, and the demands of European privacy policies appears to be behind an increase in the attention high-level executives and boards of directors are paying to the ability of their firms to prevent and respond to data thieves.

That’s the conclusion we can draw from the findings of Experian’s “Sixth Annual Study: Is Your Company Ready for a Big Data Breach?” For the study, researchers from the Ponemon Institute surveyed 643 U.S. businesspeople who work on privacy, compliance and IT security. The result is a revealing and informative look at best practices at those firms avoiding data breaches, and the cyber security concerns that are keeping top executives awake at night.

It’s easy to see why: Of those business people surveyed, the number of respondents reporting a data breach rose to 59 percent from 56 percent last year – and an astounding 73 percent reported multiple breaches at their organization. On top of that worrying increase, the Ponemon research found that the average cost of a breach increased to $3.86 million, up from $3.62 million in 2017.

One big factor is that the incidence of global data breaches has been significantly rising, with 43 percent of those surveyed reporter global hacks, up from 39 percent last year. The trend is less than surprising when we consider how even the most modest businesses now have global presence, especially online. Businesses, however, haven’t kept up with their security measures – just 29 percent of respondents said their organizations would be able to effectively handle an international data breach.

That might soon improve, though, thanks to the fact that the European Union’s General Data Protection Regulation, which took effect last May, is prompting businesses to expand their plans for handling breaches to include practices for responding to an international data breach. In fact, 59 percent of the survey respondents reported that the GDPR compliance process at their companies has expanded to include details on handling an international data breach. That’s an increase from 51 percent of respondents in 2016.

Unfortunately, complying with the GDPR data breach rules isn’t easy. But there is one clear way to quickly determine an organization’s level of compliance, according to the respondents.

Those people working in companies that need to comply reported that being able to quickly determine whether a breach resulted in a “risk for the rights and freedoms of natural persons” is a clear way to see whether an organization is in compliance. Those businesses that hew to the notification rules also are considered effective at meeting the rest of the GDPR rules. Of the 23 percent of the survey respondents who rated their organizations as highly effective, 45 percent said their businesses would be able to know right away if the breach resulted in a risk to natural persons.

That informal rule of thumb applies because those GDPR notification rules are tough. Of the business people surveyed, 36 percent told researchers their organization would have a high ability to comply with GDPR notification rules. Worse, a mere 23 percent of respondents rated their organizations as “effective in achieving compliance.”

In other words, if your organization has put in the effort to meet the GDPR notification requirements, it’s very likely that its complying with the rest of the GDPR rules, too. But either way, becoming fully compliant is an effort.

It’s also an effort that – to succeed – increasingly relies on the involvement of senior management. As breaches become bigger, more expensive and present more of a legal threat and a risk to a firm’s reputation and client/customer relationships, C-suite executives and even board members increasingly taking an interest in how data theft is handled.  The Ponemon researchers found that 54 percent of executives and 39 percent of directors were knowledgeable and engaged in planning data breach responses. At companies that were breached, 49 percent of executives and 32 percent of board members were involved with cybersecurity response.

That’s an encouraging sign that data security is being taken seriously. However, prevention doesn’t seem to be taking priority over after-the-fact responses. Researchers found that C-suite leaders and board members primarily want to know if a material data breach has occurred but remain unaware of specific security threats facing their organizations.

Only 37 percent of respondents said the senior leadership understands the specific security threats to their organization, and 35 percent said their board was aware. Only 22 percent of respondents say the top executives conduct regular, detailed reviews of their data breach response plans, and just 10 percent of board members. That points to a problem because, as the report found, most businesspeople in the survey said that increasing the involvement of senior executives, adding practice drills to test breach responses, and recruiting people with a high level of expertise in security to develop procedures leads to creating more effective response plans.

The rise in threats that can damage or destroy a business also appears to be influencing attitudes about data security. Events such as denial of service attacks and ransomware hacks – such as the 2017 WannaCry attack estimated to have hit more than 150 countries and more than 300,000 computers at a cost of as much as $4 billion – have more organizations making their data breach responses part of their business continuity plans. Survey respondents said that trend increased from 46 percent of respondents in 2016 to 52 percent of respondents in 2018.

Finally, data security measures are becoming focused on more than just internal company structures and policies, with more organization auditing the security procedures of their vendors and suppliers. Sixty percent of respondents say they have such a requirement, to reduce the risk of a third-party breach. In addition, the rate of companies requiring their business partners to establish incident response plans increased from 80 percent in 2016 to 89 percent for 2018.