Report: Executives lack confidence in their ability to combat cyber threats

Feb. 26, 2020
Annual Experian study sheds light on the state of data breach preparedness in organizations

It seems that hardly a week goes by that a major cyberattack of some kind isn’t making headlines somewhere around the world. Whether it’s a major metropolitan city’s computer networks being crippled by ransomware (Atlanta, Baltimore, New Orleans, etc.) or the personal information of a hotel chain’s guests being pilfered in massive data breach, the attacks and target vectors appear to be endless.

Both private and public sector organizations have increased the amount of resources devoted to fighting these threats, however; new research shows that despite their efforts, many executives still lack confidence in their ability to combat the problem. According to the results of Experian’s seventh annual data breach preparedness study, “Is Your Company Ready for a Big Data Breach?” 68% of the more than 1,100 professional surveyed in the U.S. and EMEA (Europe, Middle East and Africa), reported than their organization had put more resources toward security technologies to detect and respond quickly to data breaches. In addition, more than half of those who took part in the (57%), which was conducted independently by the Ponemon Institute, felt their data breach response plans are “very” or “highly” effective, which is up from 49% in last year’s study.

However, despite the increased resources, 63% of those surveyed reported that their organization had suffered a data breach involving more than 1,000 records, a 4% increase from 2018. Furthermore, since 2017, those who said their organization is “very confident” or “confident” in their ability to deal with spear phishing, which involves sending fraudulent emails to specific individuals, has declined from 31% to 23%. More than two-thirds of respondents said they had suffered one or more spear phishing attacks in 2019.

In addition, 36% of respondents reported that their organizations suffered a ransomware attack last year but only 20% felt confident in their ability to deal with it. The average ransom was just over $6,000 and 68% of respondents said it was paid.

Perhaps more disturbingly, according to Michael Bruemmer, vice president of Data Breach Resolution at Experian, is despite the fact that an overwhelming majority of organizations (94%) have a breach response plan in place, only 38 percent said they had an effective consumer response plan to deal with such an attack and 66% haven’t reviewed or updated their data breach response plan since it was put into place.

“Even though people are doing some more preparedness, they’re not investing in practicing or updating their plan because 77% said they’re not confident in their ability with their plan or response to reduce reputational risk,” Bruemmer explains. “Consumers are willing to forgive people. Over 60% of the consumers in the study said if one of the organizations they do business with has a breach, if they do a consumer response and communicate what happened, why it happened and help them protect themselves and do it a timely manner, they are going to ‘forgive’ that company  or give them a break. But if you lose people’s data through a breach and then botch the consumer response, you’re going to get into trouble.”

To combat future cyberattacks, Bruemmer recommends that organizations do several things: First, he says they need to know where all of their data and endpoints are, and secondly, they need to conduct job-specific security and privacy training (how to avoid spear phishing, clicking malicious links, etc.) at least semi-annually.

“So far the hackers have been able to stay on the forefront of finding the next attack vector or getting ahead of where corporate security is,” he says. “Given the fact that hacking is now a borderless crime – it can be launched anywhere – you can go out without any technical expertise onto the Dark Web and buy a kit to execute a denial-of-service attack, a ransomware attack or malware attack. Whether it is nation-states or other criminal actors, they have time on their side and they have anonymity on their side.”  

From the perspective of CISOs and other senior security leaders, Bruemmer says they must make sure they have an adequate budget to address the biggest cyber threats they face and that it is a strategic priority in their organizations. Ultimately, however, Bruemmer believes it is up to organizations themselves to decide whether they’re going to tackle these issues head on or continue to bury their head in the sand.  

“Breaches are becoming more prevalent but just like when you’re addressing someone who has an addiction problem, they have to admit that they are an addict first before you can help them. It’s the same thing with breaches: If people don’t want to admit they’ve had a breach and seek help, you can’t help them,” he says.

Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].