The State of Data Breach Preparedness

Published: March 5, 2019 by Michael Bruemmer

Cyberattacks skyrocketed in 2018, thanks in part to the dramatic rise of endpoints and devices and also to the improving sophistication of the attacks. This increase in cyberattacks means the risk of your organization suffering a data breach have also gone up. Are you prepared?

That’s the question raised in the Sixth Annual Study: Is Your Company Ready for a Big Data Breach sponsored by Experian® Data Breach Resolution and conducted by Ponemon Institute. They asked 643 professionals in IT and IT security, compliance and privacy, who are involved in data breach response plans in their organizations for feedback on how prepared their organizations are to mitigate a data breach.

The good news is that, overall, the effectiveness of data breach plans improved over the past year; however, only 52 percent think that their response plan is very effective. This may be because what is considered the most critical piece to combat data breaches, employee awareness training, continues to lag. Just 47 percent of the respondents said they educate employees to recognize and to avoid spearphishing-related incidents.

Financial Implications

As the number data breaches and the volume of compromised data increases, organizations are experiencing worsening financial consequences. This year’s study found that six out of ten companies experienced at least one data breach, and nearly three-quarters of those organizations dealt with multiple breaches. Ponemon estimated a single data breach can cost a business more than $3 million.

One of the bigger financial hits comes because of reputational losses. Data breaches hurt a business’s reputation, according to 27 percent of respondents. The most popular response to reputational damage is to offer free credit and identity theft monitoring, followed by offering free or discounted services.

Leadership Participation Essential

C-level executives and boards of directors should play a role in an organization’s overall cybersecurity efforts and data breach response plans, since all security-related efforts such as budgeting and staffing have to be approved by leadership. While the C-suite’s general knowledge of the organization’s data breach plans, they remain mostly reactive in their own response. Only half of executives want to know immediately about a cyber incident, about a third understand the specific security threats against their company, and less than a quarter have reviewed the details of the response plan. And boards of directors are even less aware; in fact, their overall knowledge of data breach response plans declined over the past year.

For the response plan to be effective, however, leadership participation is vital. IT and security professionals believe that when their leadership actively participates in cybersecurity oversight and preparedness, data breach response plans are more effective.

Privacy Regulations Compliance

Perhaps no security-related issue was bigger in 2018 than data privacy. With the implementation of the EU’s General Data Protection Regulation (GDPR), and the push for new privacy laws in the United States, organizations (and consumers) are more aware about the need to protect sensitive information. GDPR influenced organizations to be more mindful of their global customer base and the threat of international data breaches, with an increased number of companies adding these concerns into their data breach response plans.

However, compliance with GDPR has not been easy, with a third of organizations stating they have high ability to comply with breach response regulations, and 23 percent adding they are effective in achieving compliance.

The Problem Areas

Companies are turning to tools to address cyberattacks and response time. Security awareness training has also been proven to be an effective tool when used, with 79 percent of those companies who did not have a data breach saying they provide security education. However, there are still some areas where no one feels confident about their security systems or awareness training. Spearphishing and ransomware are threats that security and IT professionals have little confidence in preventing. The level of sophistication in these attacks outpaces the ability to prepare employees for them.

Organizations aren’t prepared for the rise of the Internet of Things (IoT) in the workplace. IoT devices have their own security weaknesses and the vast number of endpoints connected to the network require new levels of protection; however, only one in five organizations feel they are fully prepared to respond to an IoT attack.

Even though the adage is “when, not if, you’ll be breached,” not every company in this survey suffered a data breach in the past two years. These companies credit their effect data breach preparedness and incident response plans as the reason, and these same companies rate their plans as highly effective. As cyberattacks continue to rise, having an effective plan, as well as engaged leadership, appear to provide the best protection from data breaches.

Download Experian’s Sixth Annual Data Breach Preparedness Study