Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Study: Breaches of Personal Data Now Prevalent in Enterprises

Eighty-five percent of enterprises have experienced at least one reportable incident in the past 12 months

Data breaches involving personally identifiable information are no longer the exception among enterprises -- they're now the rule.

According to a study released yesterday by the Ponemon Institute and Deloitte & Touche, 85 percent of the security or privacy executive surveyed -- some 800 individuals -- claimed at least one reportable security incident in the past 12 months.

Sixty-three percent said they have experienced between six and 20 breaches affecting personally identifiable information (PII) in the past year.

"Frankly, I’m shocked by the high percentage of PII data breaches we’re seeing occur within organizations," said Rena Mears, Deloitte global and U.S. privacy and data protection leader. "This survey provides insight into the scale of the problem and how enterprises are struggling to respond. It’s clear that both privacy and security professionals are caught in a reactive cycle."

"The astonishingly high rate of data breaches is undermining public trust in both commercial and governmental organizations and points to an urgent need for privacy and security to be elevated as a coordinated, strategic imperative within all organizations," said Larry Ponemon, chairman and founder of the Ponemon Institute. "Our research suggests that privacy and security are still largely reactive, siloed functions."

According to the researchers, the data suggests that a disconnect remains among IT security, privacy officers, legal, and compliance officers. The study found, for example, that privacy officers generally report to the legal department (38 percent) or a compliance officer (21 percent); IT security people generally report to the CIO (76 percent).

Security and privacy officers also continue to spend the majority of their time fixing problems, rather than preventing them, the researchers said. According to the study, more than 50 percent of the time of the survey respondents is spent on more reactive and tactical activities, such as remediation of operational vulnerabilities and responding to incidents in real time.

Respondents also complained that the breach notification process takes too long. Close to 20 percent of privacy and security professionals are spending their time notifying consumers and stakeholders of a data breach, the study says. The respondents feel that, ideally, they should be spending less than 5 percent of their incident response time on notification.

By contrast, respondents said they spend only 10 percent of their time developing their incident response programs, and just 7 percent of their time on employee training.

"The good news for the emerging privacy function is that privacy and security professionals are coming to agreement on the strategic requirements necessary to effectively address the issues associated with privacy and data protection," said Mears.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Deloitte & Touche USA LLP
  • Ponemon Institute LLC }

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    NSA Appoints Rob Joyce as Cyber Director
    Dark Reading Staff 1/15/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: Hunny, I looked every where for the dorritos. 
    Current Issue
    2020: The Year in Security
    Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
    Flash Poll
    Assessing Cybersecurity Risk in Today's Enterprises
    Assessing Cybersecurity Risk in Today's Enterprises
    COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-8567
    PUBLISHED: 2021-01-21
    Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
    CVE-2020-8568
    PUBLISHED: 2021-01-21
    Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
    CVE-2020-8569
    PUBLISHED: 2021-01-21
    Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
    CVE-2020-8570
    PUBLISHED: 2021-01-21
    Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
    CVE-2020-8554
    PUBLISHED: 2021-01-21
    Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...