More companies developing data breach response plans, study finds

Nov. 3, 2015
Effectiveness of plans questioned by executives, employee training still lacking

These days it seems as if with each passing week there is a new announcement from a government agency or private company regarding a breach of their network that has resulted in the personal information of their employees or customers being compromised. The situation has become so dire that it has finally led federal lawmakers to take action with the passage of the highly controversial Cybersecurity Information Sharing Act last week by the Senate. However, the results of Experian’s third annual study on data breach preparedness found that an increasing number of organizations have plans in place to deal with the aftermath of breach.

The study, which was independently conducted by Ponemon Institute and surveyed over 600 executives and other employees who work primarily in privacy and compliance in the U.S., found that 81 percent of organizations do indeed have a data breach response plan in place. That’s a 20-point increase from just two years ago when only 61 percent of organizations reported having such a plan.

However, only 34 percent of respondents in this year’s survey believed these plans are “very effective” or “effective.” That could also be attributed to the fact that a good portion of respondents reported that their plan was not regularly reviewed. Only 25 percent of those surveyed said that their organization updates the data breach plan once or twice each year. Another 25 percent said that the plan has not been reviewed or updated since it was put in place.

Despite the relatively low number of respondents that have faith in the effectiveness of their plans, Michael Bruemmer, vice president of Experian Data Breach Resolution group, is encouraged by the number of organizations that do have a plan and are actually practicing them than in previous studies.

“You have more people practicing their plans. Let’s say at the beginning you might have had 15 to 25 percent of the people that had a plan in place actually practicing that plan, now 55 to 60 percent that have a plan actually do practice it and they see it as beneficial,” said Bruemmer. “I also think that you’ve seen from three years ago, even though this study wasn’t about cyber insurance, I can tell you that less than 20 percent of the industry or the folks we worked with regularly had a cyber insurance policy. Now, 47 percent of the respondents in this survey said that they did have a cyber insurance policy.”  

In addition, the devastating consequences for organizations that have suffered highly-publicized data breaches have made them top of mind for business leaders. In fact, a majority of executives who took part in this year’s study ranked data breaches second to only poor customer service as an issue that would have the greatest potential to impact their organization’s reputation. To put that into perspective, product recalls, environmental incidents and publicized lawsuits all ranked lower than data breaches on the list.

“It just goes to show you that all of these headline grabbing incidents have had a huge impact when you stop and think of those media headlines compared to a major product recall, lawsuit or an environmental incident,” said Bruemmer.       

Over 80 percent of respondents said that they would like to practice or conduct drills more regularly on the plans they do have and just over 70 percent indicated they would like more involvement from the board or C-suite on the development of data breach response plans. With that being said, the study did find that senior leaders are increasingly involved and informed about their data breach plans. In fact, 54 percent of respondents in this year’s survey said that their boards and C-suite leaders participate in high-level reviews of data breach response plans, compared to just 45 percent in last year’s survey.    

While the majority of organizations appear to be taking the threats posed by data breaches to their businesses seriously, Bruemmer concedes there are likely still a small number of companies that are more interested in checking a box on a compliance sheet than with really taking the necessary steps to bolster their breach mitigation and resolution efforts.    

“I think the companies that are truly concerned about the protection of personal identity information or personal health information and the privacy of the individual’s data that they have are the ones that are putting the plan in place, are practicing the plan, have board oversight, and provide great responses. That’s the vast majority of folks and is evidenced by the fact that more people have a plan… but there are some people that are just going through the exercises and they don’t really care,” said Bruemmer. “At least it’s moving in the right direction. Some would argue in this day and age with headline grabbing breaches, ‘why don’t we have 100 percent compliance with people having a plan?’ That’s a question I can’t answer, but I can tell you there are more people that want to go in that direction based on the survey we did.”

The study also shows a need among organizations across the board to place a greater emphasis on employee training. Despite the fact that the cause of most data breaches can be traced back to human error or negligence, less than half of those surveyed indicated their response plans account for managing a data breach caused by a malicious employee or contractor. Among companies that do provide employee security training, a majority only conducts it once (40 percent) or sporadically (31 percent). Additionally, 45 percent of respondents said that the content of their awareness and training programs are not regularly reviewed and updated to ensure they address the areas of greatest risk to the organization.

Bruemmer said one of the reasons for this may be due to the fact that employee training programs come under the budget of human resources, which security has little to no control over. Another may be that it is just easier to blame hackers than accept personal accountability for security failures.

“Companies still haven’t gotten the message and it’s easier to blame a hacker, malware or a nation state versus dealing with the problem of, ‘Hey, I forgot to put that firmware patch in or we didn’t have the correct level of encryption in that particular part of the cloud that we put our data on.’ I think people are still a little bit in denial of the reality of the problem,” added Bruemmer.

Click here for more information about the study or to download a free copy.  

About the Author

Joel Griffin | Editor-in-Chief,

Joel Griffin is the Editor-in-Chief of, a business-to-business news website published by Endeavor Business Media that covers all aspects of the physical security industry. Joel has covered the security industry since May 2008 when he first joined the site as assistant editor. Prior to SecurityInfoWatch, Joel worked as a staff reporter for two years at the Newton Citizen, a daily newspaper located in the suburban Atlanta city of Covington, Ga.