In its fourth year, the Ponemon Institute’s data breach preparedness study sponsored by Experian Data Breach Resolution reveals a mixed bag of good and not-so-good news.
The percentage of companies that experienced a breach edged up to 52 percent (from 49 percent in 2015), but 86 percent do have data breach response plans in place (up 5 percent from last year). However, the study also points to the human factor as continuing to create significant weaknesses in data breach defense, especially against emerging threats such as ransomware and international breaches.
As in previous years, the study polled domestic executives and staff working primarily in privacy, compliance and IT. Responses indicate that while companies appear to be taking data breach preparedness seriously overall, significant gaps still exist in key areas like senior-level involvement and employee education.
Leadership wanted
Over the past three surveys, participants have expressed a desire for greater involvement from senior managers and boards of directors. Yet 57 percent still say boards and C-suite executives are not informed and involved in data breach preparedness. What’s more, the majority — 60 percent — say their leadership has not asked to be notified immediately when a material data breach occurs, and 34 percent say their board doesn’t understand the security threats specific to the organization. More than a quarter say their board members are unwilling to take responsibility for successfully executing an incident response plan.
The leadership void is especially troubling; multiple studies have shown senior-level involvement is critical to successful data breach response, and in mitigating the damages associated with security incidents.
New threats, same exposures
Ransomware attacks and international breaches are growing in frequency, yet many companies are not taking the steps necessary to prepare for such attacks. Nearly half of those surveyed said their organizations are not doing any of the things they should do in order to prevent and/or prepare for a possible ransomware incident. Further, a staggering 83 percent are not educating their employees about the risk of ransomware. It’s not uncommon for ransomware attacks to infiltrate through employee email, and leaving staff uneducated about threats and prevention elevates the organization’s risk of falling prey to an attack.
In fact, lack of employee education continues to be a significant concern. While more companies (61 percent) are educating employees about privacy and data protection, these programs are often relegated to employee orientation processes. Yet employee education should be an ongoing process; as threats evolve and emerge, so must employees’ understanding of how to identify, block and respond to cyberattacks.
Companies are also falling short in preparing for international data breaches. While 51 percent have incorporated processes for an international data breach in their data breach response plans, less than a third are confident those provisions would be effective.
Takeaways and next steps
Data breach risks continue to escalate, and while companies are doing a better job overall of recognizing and preparing for risks, significant and concerning security gaps still exist. Companies must take action to shore up these gaps with greater leadership involvement and education at every level of the organization, from the top down.
The Fourth Annual Study: Is Your Company Ready for a Big Data Breach? is available for free download.
Legal Notice: The information you obtain herein is not, nor intended to be, legal advice. We try to provide quality information but make no claims, promises or guarantees about the accuracy, completeness or adequacy of the information contained. As legal advice must be tailored to the specific circumstances of each case and laws are constantly changing, nothing provided herein should be used as a substitute for the advice of competent legal counsel.