Data breach preparedness plans not being updated or exercised: survey
- Published: Thursday, 06 October 2016 07:49
While most organizations have a data breach preparedness plan in place, data indicates that executives are not updating or practicing the plan regularly and lack confidence in its effectiveness. These findings are according to the ‘Is Your Company Ready for a Big Data Breach?’ study, conducted by the Ponemon Institute and sponsored by Experian Data Breach Resolution.
The fourth annual study shows that data breach preparedness certainly is on the organizational radar, and having a response plan in place is par for the course. The number of organizations with a plan increased from 61 percent in 2013 to 86 percent in 2016. However, despite this, 38 percent of organizations surveyed have no set time period for reviewing and updating it, and 29 percent have not reviewed or updated their plan since it was put in place. Furthermore, only 27 percent of organizations surveyed are confident in their ability to minimize the financial and reputational consequences of a breach, and 31 percent lack confidence in dealing with an international incident.
"When it comes to managing a data breach, having a response plan is simply not the same as being prepared," said Michael Bruemmer, vice president at Experian Data Breach Resolution. "Unfortunately many companies are simply checking the box on this security tactic. Developing a plan is the first step, but preparedness must be considered an ongoing process, with regular reviews of the plan and practice drills."
Additional key findings include:
- 58 percent of surveyed organizations (compared with 48 percent in 2014) have increased their investment in security technologies in the past 12 months in order to be able to detect and respond quickly to a data breach.
- 61 percent of surveyed organizations (compared with 44 percent in 2013) have a privacy/data protection awareness and training program for employees and other stakeholders who have access to sensitive or confidential personal information.
- Companies understand that they need to take action after a breach occurs to keep customers and maintain their reputation. To do so, those surveyed believe the best approaches are providing free identity theft protection and credit monitoring services (71 percent), gift cards (45 percent), and discounts on products or services (40 percent).
- Among those organizations surveyed that do not practice their plan (26 percent), a majority (64 percent) don't practice because it is not a priority.
- Only 38 percent of companies surveyed have a data breach or cyber insurance policy. Of those that do not have such a policy, 40 percent have no plans to purchase one.
- Less than half (46 percent) of survey respondents have integrated response plans into their business continuity plans, and only 12 percent meet with law enforcement or state regulators in advance of an incident.
- Only 39 percent of organizations surveyed practice their plan at least twice a year.