Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Study: Breaches of Personal Data Now Prevalent in Enterprises

Eighty-five percent of enterprises have experienced at least one reportable incident in the past 12 months

Data breaches involving personally identifiable information are no longer the exception among enterprises -- they're now the rule.

According to a study released yesterday by the Ponemon Institute and Deloitte & Touche, 85 percent of the security or privacy executive surveyed -- some 800 individuals -- claimed at least one reportable security incident in the past 12 months.

Sixty-three percent said they have experienced between six and 20 breaches affecting personally identifiable information (PII) in the past year.

"Frankly, I’m shocked by the high percentage of PII data breaches we’re seeing occur within organizations," said Rena Mears, Deloitte global and U.S. privacy and data protection leader. "This survey provides insight into the scale of the problem and how enterprises are struggling to respond. It’s clear that both privacy and security professionals are caught in a reactive cycle."

"The astonishingly high rate of data breaches is undermining public trust in both commercial and governmental organizations and points to an urgent need for privacy and security to be elevated as a coordinated, strategic imperative within all organizations," said Larry Ponemon, chairman and founder of the Ponemon Institute. "Our research suggests that privacy and security are still largely reactive, siloed functions."

According to the researchers, the data suggests that a disconnect remains among IT security, privacy officers, legal, and compliance officers. The study found, for example, that privacy officers generally report to the legal department (38 percent) or a compliance officer (21 percent); IT security people generally report to the CIO (76 percent).

Security and privacy officers also continue to spend the majority of their time fixing problems, rather than preventing them, the researchers said. According to the study, more than 50 percent of the time of the survey respondents is spent on more reactive and tactical activities, such as remediation of operational vulnerabilities and responding to incidents in real time.

Respondents also complained that the breach notification process takes too long. Close to 20 percent of privacy and security professionals are spending their time notifying consumers and stakeholders of a data breach, the study says. The respondents feel that, ideally, they should be spending less than 5 percent of their incident response time on notification.

By contrast, respondents said they spend only 10 percent of their time developing their incident response programs, and just 7 percent of their time on employee training.

"The good news for the emerging privacy function is that privacy and security professionals are coming to agreement on the strategic requirements necessary to effectively address the issues associated with privacy and data protection," said Mears.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Deloitte & Touche USA LLP
  • Ponemon Institute LLC }

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    DevSecOps: The Answer to the Cloud Security Skills Gap
    Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
    Attackers' Costs Increasing as Businesses Focus on Security
    Robert Lemos, Contributing Writer,  11/15/2019
    TPM-Fail: What It Means & What to Do About It
    Ari Singer, CTO at TrustPhi,  11/19/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: -when I told you that our cyber-defense was from another age
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-18858
    PUBLISHED: 2019-11-20
    CODESYS 3 web server before 3.5.15.20, as distributed with CODESYS Control runtime systems, has a Buffer Overflow.
    CVE-2019-3466
    PUBLISHED: 2019-11-20
    The pg_ctlcluster script in postgresql-common in versions prior to 210 didn't drop privileges when creating socket/statistics temporary directories, which could result in local privilege escalation.
    CVE-2010-4659
    PUBLISHED: 2019-11-20
    Cross-site scripting (XSS) vulnerability in statusnet through 2010 in error message contents.
    CVE-2019-4530
    PUBLISHED: 2019-11-20
    IBM Maximo Asset Management 7.6, 7.6.1, and 7.6.1.1 could allow an authenticated user to delete a record that they should not normally be able to. IBM X-Force ID: 165586.
    CVE-2019-4561
    PUBLISHED: 2019-11-20
    IBM Security Identity Manager 6.0.0 could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code on the syst...