More companies developing data breach response plans, study finds

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.securityinfowatch.com/article/12134348/more-companies-developing-data-breach-response-plans-study-finds

These days it seems as if with each passing week there is a new
announcement from a government agency or private company regarding a breach
of their network that has resulted in the personal information of their
employees or customers being compromised. The situation has become so dire
that it has finally led federal lawmakers to take action with the passage
of the highly controversial Cybersecurity Information Sharing Act last week
by the Senate. However, the results of Experian’s third annual study on
data breach preparedness found that an increasing number of organizations
have plans in place to deal with the aftermath of breach.

The study, which was independently conducted by Ponemon Institute and
surveyed over 600 executives and other employees who work primarily in
privacy and compliance in the U.S., found that 81 percent of organizations
do indeed have a data breach response plan in place. That’s a 20-point
increase from just two years ago when only 61 percent of organizations
reported having such a plan.

However, only 34 percent of respondents in this year’s survey believed
these plans are “very effective” or “effective.” That could also be
attributed to the fact that a good portion of respondents reported that
their plan was not regularly reviewed. Only 25 percent of those surveyed
said that their organization updates the data breach plan once or twice
each year. Another 25 percent said that the plan has not been reviewed or
updated since it was put in place.

Despite the relatively low number of respondents that have faith in the
effectiveness of their plans, Michael Bruemmer, vice president of Experian
Data Breach Resolution group, is encouraged by the number of organizations
that do have a plan and are actually practicing them than in previous
studies.

“You have more people practicing their plans. Let’s say at the beginning
you might have had 15 to 25 percent of the people that had a plan in place
actually practicing that plan, now 55 to 60 percent that have a plan
actually do practice it and they see it as beneficial,” said Bruemmer. “I
also think that you’ve seen from three years ago, even though this study
wasn’t about cyber insurance, I can tell you that less than 20 percent of
the industry or the folks we worked with regularly had a cyber insurance
policy. Now, 47 percent of the respondents in this survey said that they
did have a cyber insurance policy.”

In addition, the devastating consequences for organizations that have
suffered highly-publicized data breaches have made them top of mind for
business leaders. In fact, a majority of executives who took part in this
year’s study ranked data breaches second to only poor customer service as
an issue that would have the greatest potential to impact their
organization’s reputation. To put that into perspective, product recalls,
environmental incidents and publicized lawsuits all ranked lower than data
breaches on the list.

“It just goes to show you that all of these headline grabbing incidents
have had a huge impact when you stop and think of those media headlines
compared to a major product recall, lawsuit or an environmental incident,”
said Bruemmer.

Over 80 percent of respondents said that they would like to practice or
conduct drills more regularly on the plans they do have and just over 70
percent indicated they would like more involvement from the board or
C-suite on the development of data breach response plans. With that being
said, the study did find that senior leaders are increasingly involved and
informed about their data breach plans. In fact, 54 percent of respondents
in this year’s survey said that their boards and C-suite leaders
participate in high-level reviews of data breach response plans, compared
to just 45 percent in last year’s survey.

While the majority of organizations appear to be taking the threats posed
by data breaches to their businesses seriously, Bruemmer concedes there are
likely still a small number of companies that are more interested in
checking a box on a compliance sheet than with really taking the necessary
steps to bolster their breach mitigation and resolution efforts.

“I think the companies that are truly concerned about the protection of
personal identity information or personal health information and the
privacy of the individual’s data that they have are the ones that are
putting the plan in place, are practicing the plan, have board oversight,
and provide great responses. That’s the vast majority of folks and is
evidenced by the fact that more people have a plan… but there are some
people that are just going through the exercises and they don’t really
care,” said Bruemmer. “At least it’s moving in the right direction. Some
would argue in this day and age with headline grabbing breaches, ‘why don’t
we have 100 percent compliance with people having a plan?’ That’s a
question I can’t answer, but I can tell you there are more people that want
to go in that direction based on the survey we did.”

The study also shows a need among organizations across the board to place a
greater emphasis on employee training. Despite the fact that the cause of
most data breaches can be traced back to human error or negligence, less
than half of those surveyed indicated their response plans account for
managing a data breach caused by a malicious employee or contractor. Among
companies that do provide employee security training, a majority only
conducts it once (40 percent) or sporadically (31 percent). Additionally,
45 percent of respondents said that the content of their awareness and
training programs are not regularly reviewed and updated to ensure they
address the areas of greatest risk to the organization.

Bruemmer said one of the reasons for this may be due to the fact that
employee training programs come under the budget of human resources, which
security has little to no control over. Another may be that it is just
easier to blame hackers than accept personal accountability for security
failures.

“Companies still haven’t gotten the message and it’s easier to blame a
hacker, malware or a nation state versus dealing with the problem of, ‘Hey,
I forgot to put that firmware patch in or we didn’t have the correct level
of encryption in that particular part of the cloud that we put our data
on.’ I think people are still a little bit in denial of the reality of the
problem,” added Bruemmer.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!