With large-scale data breaches and ransomware schemes continuing to plague organizations in both the public and private sectors, cybersecurity awareness among companies and their executive teams is at an all-time high. However, increased awareness hasn’t necessarily translated into increased preparedness.
According to the results of the fourth annual data breach preparedness survey conducted by the Ponemon Institute, which included responses from 665 executive and staff employees who work primarily in privacy and compliance in the U.S., 86 percent of organizations say they currently have data breach response plans in place. In 2013, only 61 percent of organizations had adopted such plans. In addition, 61 percent of organizations now say they have privacy and data protection awareness and training programs in place for employees and other stakeholders compared to just 44 percent in 2013.
While these findings would tend to suggest that things are headed in right direction, there has been little change in the number of companies that are truly prepared to deal with the consequences of a hacker intrusion. For example, only 41 percent of respondents said they were prepared to respond to a breach involving business confidential information and intellectual property, which is only a three percent increase from 2014. And just 39 percent of respondents said their organization is effective at doing what needs to be done following a breach to prevent the loss of customers’ and business partners’ trust and confidence, which is mere six percentage points higher than what was reported in the 2014 survey.
“I think there is some fatigue in breach preparation among companies that have to prepare for a breach,” says SIW cybersecurity contributor and Experian Data Breach Resolution Vice President Michael Bruemmer, whose firm sponsored the study. “The numbers are not moving as fast as we thought they would move.”
Bruemmer says one of the biggest themes that came out of this year’s report was that just having a plan in place isn’t enough for organizations to be able to say they’re adequately prepared for a breach. In fact, 29 percent of organizations say they have not reviewed or updated their plan since it was established.
Additionally, Bruemmer says companies seeking to move beyond their basic data breach response plan have found significant gaps in those existing plans as part of their review process. For instance, only 43 percent of respondents said their board is informed about their plan and just 12 percent of organizations reported meeting with law enforcement or regulators in advance of an incident. And while the number of organizations who have had their data held hostage by ransomware has exploded over the past year, 45 percent of companies said they haven’t taken any steps to prepare for this type of attack.
Bruemmer believes that many organizations are simply complacent when it comes to data breach preparedness and think that that by throwing money at the problem through either security hardware or software purchases that it is just going to go away.
“By not spending on things like employee training, putting a plan in place, and not having board oversight, involvement and support of a plan, you’re surely not going to be prepared,” Bruemmer says. “That’s where the rubber doesn’t meet the road.”
Many organizations were also found to be lacking when it comes to mitigating the financial risk of a breach as only 38 percent of companies reporting having a data breach or cyber insurance policy. Of those who did not have a policy (55 percent), 40 percent said they had no plans to purchase one.
“That’s surprising because every article that I have read recently about cyber insurance indicates that it is core component of a risk mitigation strategy and, in many cases, boards are saying we have to have some form of cyber insurance as part of our overall insurance profile and risk mitigation plan but that’s not happening either,” Bruemmer adds. “This idea that it’s too hard or there is not enough budget, I don’t buy it as an excuse. It’s just people not, I think, executing and investing in the right things.”
On a positive note, Bruemmer said the fact that organizations have started to think about how to handle an international breach which is a good sign. The survey found that 58 percent of companies have a process in place for handling an international breach.
“That is very encouraging because, especially with the impending legislation in Europe with GDPR that will go into effect in May 2018, to have 58 percent of the organizations say they’ve contemplated an international breach is good,” he says.
Despite this and a few other bright spots, Bruemmer says it’s clear that organizations still have their work cut out for them in confronting the cybersecurity issues they face. The fact that 76 percent of respondents said that it was too difficult to schedule time to create a breach plan is an indication to Bruemmer that many companies haven’t fully grasped the severity of the threat.
“That’s sort of like walking down the street and saying, ‘It’s too difficult for me to schedule time to take breath,’” Bruemmer says.
Bruemmer believes the study is a good “wake-up call” for organizations.
“The C-Suite really has to get more engaged and ensure data breach response planning as part of an overall strategic priority on cybersecurity that has to come to the board level. And if it doesn’t, based on the responses from the people in this survey, it shows it is not going to be a bottom-up process,” Bruemmer says.
Click here for more information or to download a full copy of the report.