While most organizations have a data breach preparedness plan in place, executives are not updating or practicing the plan regularly and lack confidence in its effectiveness, according to a study by the Ponemon Institute.
The fourth annual study shows that data breach preparedness certainly is on companies’ radar, and having a response plan in place is par for the course. The number of organizations with a plan increased from 61 percent in 2013 to 86 percent in 2016. However, despite this strong majority of companies that now have a response plan in place, 38 percent of organizations surveyed have no set time period for reviewing and updating it, and 29 percent have not reviewed or updated their plan since it was put in place.
Furthermore, only 27 percent of organizations surveyed are confident in their ability to minimize the financial and reputational consequences of a breach, and 31 percent lack confidence in dealing with an international incident.
“When it comes to managing a data breach, having a response plan is simply not the same as being prepared,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “Unfortunately many companies are simply checking the box on this security tactic. Developing a plan is the first step, but preparedness must be considered an ongoing process, with regular reviews of the plan and practice drills.”
The lack of planning is especially troublesome when considering the rise of new threats in the marketplace, such as ransomware. In fact, the study showed that 56 percent of surveyed organizations are not confident that they could deal with a ransomware incident. Additionally, only 9 percent of survey respondents have determined under what circumstances they would pay to resolve a ransomware incident.
“Investing in breach preparedness is like planning for a natural disaster. You hope it will never happen, but just in case, you invest time and resources in a response plan so your company can survive the storm,” added Bruemmer.
The good: Companies show an increase in the level of preparedness
- 58% of surveyed organizations (compared with 48% in 2014) have increased their investment in security technologies in the past 12 months in order to be able to detect and respond quickly to a data breach.
- 61% of surveyed organizations (compared with 44% in 2013) have a privacy/data protection awareness and training program for employees and other stakeholders who have access to sensitive or confidential personal information.
- Companies understand that they need to take action after a breach occurs to keep customers and maintain their reputation. To do so, those surveyed believe the best approaches are providing free identity theft protection and credit monitoring services (71%), gift cards (45%), and discounts on products or services (40%).
The bad: Missteps and signs of complacency
- Among those organizations surveyed that do not practice their plan (26%), a majority (64%) don’t practice because it is not a priority.
- Only 38% of companies surveyed have a data breach or cyber insurance policy. Of those that do not have such a policy, 40% have no plans to purchase one.
- Less than half (46%) of survey respondents have integrated response plans into their business continuity plans, and only 12% meet with law enforcement or state regulators in advance of an incident.
- Only 39% of organizations surveyed practice their plan at least twice a year.