Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Study: Breaches of Personal Data Now Prevalent in Enterprises

Eighty-five percent of enterprises have experienced at least one reportable incident in the past 12 months

Data breaches involving personally identifiable information are no longer the exception among enterprises -- they're now the rule.

According to a study released yesterday by the Ponemon Institute and Deloitte & Touche, 85 percent of the security or privacy executive surveyed -- some 800 individuals -- claimed at least one reportable security incident in the past 12 months.

Sixty-three percent said they have experienced between six and 20 breaches affecting personally identifiable information (PII) in the past year.

"Frankly, I’m shocked by the high percentage of PII data breaches we’re seeing occur within organizations," said Rena Mears, Deloitte global and U.S. privacy and data protection leader. "This survey provides insight into the scale of the problem and how enterprises are struggling to respond. It’s clear that both privacy and security professionals are caught in a reactive cycle."

"The astonishingly high rate of data breaches is undermining public trust in both commercial and governmental organizations and points to an urgent need for privacy and security to be elevated as a coordinated, strategic imperative within all organizations," said Larry Ponemon, chairman and founder of the Ponemon Institute. "Our research suggests that privacy and security are still largely reactive, siloed functions."

According to the researchers, the data suggests that a disconnect remains among IT security, privacy officers, legal, and compliance officers. The study found, for example, that privacy officers generally report to the legal department (38 percent) or a compliance officer (21 percent); IT security people generally report to the CIO (76 percent).

Security and privacy officers also continue to spend the majority of their time fixing problems, rather than preventing them, the researchers said. According to the study, more than 50 percent of the time of the survey respondents is spent on more reactive and tactical activities, such as remediation of operational vulnerabilities and responding to incidents in real time.

Respondents also complained that the breach notification process takes too long. Close to 20 percent of privacy and security professionals are spending their time notifying consumers and stakeholders of a data breach, the study says. The respondents feel that, ideally, they should be spending less than 5 percent of their incident response time on notification.

By contrast, respondents said they spend only 10 percent of their time developing their incident response programs, and just 7 percent of their time on employee training.

"The good news for the emerging privacy function is that privacy and security professionals are coming to agreement on the strategic requirements necessary to effectively address the issues associated with privacy and data protection," said Mears.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Deloitte & Touche USA LLP
  • Ponemon Institute LLC }

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Oldest First  |  Newest First  |  Threaded View
    Why Cyber-Risk Is a C-Suite Issue
    Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
    Black Hat Q&A: Hacking a '90s Sports Car
    Black Hat Staff, ,  11/7/2019
    The Cold Truth about Cyber Insurance
    Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-16863
    PUBLISHED: 2019-11-14
    STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.
    CVE-2019-18949
    PUBLISHED: 2019-11-14
    SnowHaze before 2.6.6 is sometimes too late to honor a per-site JavaScript blocking setting, which leads to unintended JavaScript execution via a chain of webpage redirections targeted to the user's browser configuration.
    CVE-2011-1930
    PUBLISHED: 2019-11-14
    In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /tmp/net-$DEVICE.conf are not properly escaped. This may allow a remote attacker to send a specially crafted DHCP reply which could execute arbitrary code with the privileges of any process which sources DHCP options.
    CVE-2011-1145
    PUBLISHED: 2019-11-14
    The SQLDriverConnect() function in unixODBC before 2.2.14p2 have a possible buffer overflow condition when specifying a large value for SAVEFILE parameter in the connection string.
    CVE-2011-1488
    PUBLISHED: 2019-11-14
    A memory leak in rsyslog before 5.7.6 was found in the way deamon processed log messages are logged when $RepeatedMsgReduction was enabled. A local attacker could use this flaw to cause a denial of the rsyslogd daemon service by crashing the service via a sequence of repeated log messages sent withi...