According to a recent study conducted by the Ponemon Institute, the vast majority of companies now have a data breach response plan in place, yet most of the IT professionals surveyed lacked confidence in their company’s data breach preparedness plans.
Only 42% of respondents to the Experian-sponsored survey said their breach response plans were effective or very effective. 31% lacked confidence in their company’s ability to deal with an international incident, and just 27% said they thought their company would be able to minimize the financial and reputational consequences of a data breach.
The study was conducted on 619 executive and staff employees whose primary role in their organization was IT security, compliance, and/or privacy. The sample pool included organizations from a range of industries including education, healthcare, finance, retail, and the public sector. Respondents were asked questions about data breach preparedness, disaster planning, and staff awareness training.
In 2013, when the last study was conducted, 61% of organizations had data breach response plans in place. Now, three years on, the percentage has risen to 86%. However, having a data breach response plan in place does not mean that companies are well prepared to deal with a data breach when one occurs.
Plans may have been formed to deal with a breach, but for many companies those plans have not been updated since they were initially formed, even though the cybersecurity landscape has changed considerably.
Ransomware attacks have increased substantially in the past 12 months, yet many companies have not included ransomware incidents in their data breach response plans. Should an attack take place, many would not be able to exercise an efficient data breach response. Only 9% of organizations had documented the circumstances under which a ransom payment would be made following an attack. 56% of respondents said they are not confident that they would be able to deal with a ransomware attack should one occur.
Data breach preparedness is a process, not a one-time event. As Michael Bruemmer, vice president at Experian Data Breach Resolution, explained, “When it comes to managing a data breach, having a response plan is simply not the same as being prepared.” Bruemmer went on to say “Developing a plan is the first step, but preparedness must be considered an ongoing process, with regular reviews of the plan and practice drills.”
The survey showed that training was insufficient in many companies. While training on privacy and data protection awareness was being provided, only 42% of companies provided the training as part of employee orientation. Additional awareness training was only then provided annually (26%) or sporadically (29%). Only 3% of respondents said training was provided every 6 months.
If data breach preparedness efforts stop at developing a data breach response plan, chances are it is not going to be possible to execute an efficient and effective response to a data breach when one does occur. Data breach preparedness requires plans to be developed, but they need to be updated regularly if those plans are to remain effective. The plans also need to be tested and drills performed. Only then will companies be able to say with certainty that they are properly prepared for a data breach when one occurs.