Following the aftermath of the Target data breach in 2013, organizations both large and small began to wake up to the dangers that cyber-attacks present to their businesses. Obviously, there have been a number of other high-profile breaches in the wake of Target in recent years, including Anthem, the U.S. Office of Personnel Management (OPM) and Equifax just to name a few, but the potential consequences of these incidents – financial losses, reputational damage to the brand, government inquiries, and even job terminations – are now well-known to everyone.
So, with the likely impacts clearly defined, just how well prepared are companies today to mitigate and respond to a data breach? The answer, according to a new study, is that organizations, by and large, still have a ways to go, even as the number of businesses who report that they have been the victim of a breach continues to rise.
In fact, Experian Data Breach Resolution’s Fifth Annual Data Breach Preparedness Study, which was conducted by the Ponemon Institute and surveyed more than 600 executives and staff employees who work in privacy, compliance and IT security roles in the U.S., found that 56 percent of organizations experienced a data breach involving the loss or theft of records containing confidential customer or business information in 2017, compared to 52 percent in 2016. In addition, 70 percent of respondents reported that their organization had experienced multiple breaches, while 39 percent said their companies’ data breaches were global in nature.
Despite this, a significant portion of company boards and C-level executives are still not actively engaged in addressing cyber threats. According to the study, less than half (48 percent) of respondents said their C-suite executives are informed and knowledgeable about how their companies plan to respond to a breach and only 39 percent reported that their boards of directors were.
“I blame this on two things: one is they haven’t had to suffer the consequences of some of the (executives) we’ve read about in the news that have either been demoted, fired or retired because of a large incident. So, they’re still in a mode of, ‘it’s not going to happened to me,'” Michael Bruemmer, Experian’s VP of Consumer Protection for Experian, says. “Secondly, they’ve been shielded by the people that should be preparing them.”
Ideally, Bruemmer says delegated authority should be given to either a privacy attorney, CISO or CIO to actually run an organization’s breach response plan, keeping the CEO and other high-level executives informed along the way and ensuring that security and privacy are one of the top three corporate priorities. But, he says that’s simply not happening in a lot of businesses today. “I believe the other C-suite executives who have security as their primary job are doing a disservice to their bosses or peers depending on the company,” Bruemmer adds.
On a positive note, the study also found that 88 percent of companies had some type of data breach plan in place. However, less than half (49 percent) of those polled characterized their breach plans as being either “very effective” or “effective.” Among the reasons given by respondents that didn’t think their plans were very effective included:
- Inability to prevent the loss of customers’ and business partners’ trust and confidence (60 percent);
- Not prepared to respond to a data breach involving business confidential information and intellectual property (60 percent);
- And, inability to prevent negative public opinion, blog posts and media reports (64 percent).
Bruemmer says he was also discouraged to learn that only about a third of those polled in the study felt comfortable that they could detect, let alone respond to a spear phishing attack, and that the vast majority (61 percent) of companies are still not sharing threat intelligence or breach response information due to lack of resources, which he says is a “cop out.”
Addressing Leadership Gaps
Despite the many areas in which data breach response preparation is still lacking in organizations today, Bruemmer says a lot of these issues can be fixed as long as they are made a made a priority by the executive leadership team.
“The C-suite now has to have cybersecurity as one of their top three priorities and it comes to that prioritization and leadership from the top down that will instill upon an organization that, ‘not only do we have to be prepared, we have to actually walk the talk when the time comes,’ because you can tell from the answers to the follow-on questions,” he says. “Ok, you think you’re prepared? What are you doing to be prepared? Are you conducting regular exercises? Are you updating the (breach response) plan? Are you paying attention and working with other individuals in the industry to share information?”
Unfortunately, based on the answers given by the survey’s respondents, Bruemmer doesn’t think that a majority of executives are providing the guidance necessary on this issue, which has subsequently lead to a “leadership gap” during a crucial juncture in time for data security, given the upcoming compliance deadline for the European Union’s General Data Privacy Regulation (GDPR) and other legislative initiatives related to cybersecurity around the globe. “There’s lots of high-profile legislation that organizations need to be aware of and the CEO has to have that security posture at the top to lead the company,” he adds.
Combatting Cybersecurity Apathy
Another problem that has become prevalent in many companies, according to Bruemmer, is the attitude adopted by some that if a breach is going to happen anyway, why bother spending time, money and resources trying to stop it? Using the analogy of a bear attacking a group of people in the woods, Bruemmer says that companies don’t necessarily have to the fastest runner in the party in terms of their ability to mitigate threats, but they do need to be faster than the slowest person in the group.
“It’s the same way with cybersecurity. You’ve got to have minimum standards, defend yourself and have preparedness to spot the attacks coming… so when someone is knocking on your door – they’re going to knock on everybody’s door – you’re door, so to speak, it is the hardest one to get into,” he says.
And though an overwhelming majority of respondents indicated that their organizations have a breach response plan in place, 66 percent also reported that they have no set time for reviewing and updating the plan or have not reviewed the plan since it was put in place. Additionally, Bruemmer says not enough businesses are working with vendors and other partners to ensure they are minimizing risks in their supply chain.
“Just as you would, in your own company, have protocols to alert you that a potential activity may be happening, there needs to be those same protocols that you can observe your entire network of who you do business with to let you know that a breach has already occurred instead of waiting for them to notify you,” he adds.
Perhaps most concerning of all, according to Bruemmer, is that only 19 percent of respondents felt their breach response plans were “highly effective," which considering the onslaught of cyber-attacks businesses face on a daily basis doesn’t bode well for long term. “You know you’re going to get attacked, you know you’re going to have security incidents but if less than 20 percent say they’re plan is effective, that is a real concern,” he says.
For more information or to download a copy of the study, click here.
About the Author:
Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at firstname.lastname@example.org.