The latest enterprise risk management news from around the world

Data breach preparedness plans not being updated or exercised: survey

While most organizations have a data breach preparedness plan in place, data indicates that executives are not updating or practicing the plan regularly and lack confidence in its effectiveness. These findings are according to the ‘Is Your Company Ready for a Big Data Breach?’ study, conducted by the Ponemon Institute and sponsored by Experian Data Breach Resolution.

The fourth annual study shows that data breach preparedness certainly is on the organizational radar, and having a response plan in place is par for the course. The number of organizations with a plan increased from 61 percent in 2013 to 86 percent in 2016. However, despite this, 38 percent of organizations surveyed have no set time period for reviewing and updating it, and 29 percent have not reviewed or updated their plan since it was put in place. Furthermore, only 27 percent of organizations surveyed are confident in their ability to minimize the financial and reputational consequences of a breach, and 31 percent lack confidence in dealing with an international incident.

"When it comes to managing a data breach, having a response plan is simply not the same as being prepared," said Michael Bruemmer, vice president at Experian Data Breach Resolution. "Unfortunately many companies are simply checking the box on this security tactic. Developing a plan is the first step, but preparedness must be considered an ongoing process, with regular reviews of the plan and practice drills."

Additional key findings include:

  • 58 percent of surveyed organizations (compared with 48 percent in 2014) have increased their investment in security technologies in the past 12 months in order to be able to detect and respond quickly to a data breach.
  • 61 percent of surveyed organizations (compared with 44 percent in 2013) have a privacy/data protection awareness and training program for employees and other stakeholders who have access to sensitive or confidential personal information.
  • Companies understand that they need to take action after a breach occurs to keep customers and maintain their reputation. To do so, those surveyed believe the best approaches are providing free identity theft protection and credit monitoring services (71 percent), gift cards (45 percent), and discounts on products or services (40 percent).
  • Among those organizations surveyed that do not practice their plan (26 percent), a majority (64 percent) don't practice because it is not a priority.
  • Only 38 percent of companies surveyed have a data breach or cyber insurance policy. Of those that do not have such a policy, 40 percent have no plans to purchase one.
  • Less than half (46 percent) of survey respondents have integrated response plans into their business continuity plans, and only 12 percent meet with law enforcement or state regulators in advance of an incident.
  • Only 39 percent of organizations surveyed practice their plan at least twice a year.

Download the full survey report. 



Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.