Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Study: Breaches of Personal Data Now Prevalent in Enterprises

Eighty-five percent of enterprises have experienced at least one reportable incident in the past 12 months

Data breaches involving personally identifiable information are no longer the exception among enterprises -- they're now the rule.

According to a study released yesterday by the Ponemon Institute and Deloitte & Touche, 85 percent of the security or privacy executive surveyed -- some 800 individuals -- claimed at least one reportable security incident in the past 12 months.

Sixty-three percent said they have experienced between six and 20 breaches affecting personally identifiable information (PII) in the past year.

"Frankly, I’m shocked by the high percentage of PII data breaches we’re seeing occur within organizations," said Rena Mears, Deloitte global and U.S. privacy and data protection leader. "This survey provides insight into the scale of the problem and how enterprises are struggling to respond. It’s clear that both privacy and security professionals are caught in a reactive cycle."

"The astonishingly high rate of data breaches is undermining public trust in both commercial and governmental organizations and points to an urgent need for privacy and security to be elevated as a coordinated, strategic imperative within all organizations," said Larry Ponemon, chairman and founder of the Ponemon Institute. "Our research suggests that privacy and security are still largely reactive, siloed functions."

According to the researchers, the data suggests that a disconnect remains among IT security, privacy officers, legal, and compliance officers. The study found, for example, that privacy officers generally report to the legal department (38 percent) or a compliance officer (21 percent); IT security people generally report to the CIO (76 percent).

Security and privacy officers also continue to spend the majority of their time fixing problems, rather than preventing them, the researchers said. According to the study, more than 50 percent of the time of the survey respondents is spent on more reactive and tactical activities, such as remediation of operational vulnerabilities and responding to incidents in real time.

Respondents also complained that the breach notification process takes too long. Close to 20 percent of privacy and security professionals are spending their time notifying consumers and stakeholders of a data breach, the study says. The respondents feel that, ideally, they should be spending less than 5 percent of their incident response time on notification.

By contrast, respondents said they spend only 10 percent of their time developing their incident response programs, and just 7 percent of their time on employee training.

"The good news for the emerging privacy function is that privacy and security professionals are coming to agreement on the strategic requirements necessary to effectively address the issues associated with privacy and data protection," said Mears.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Deloitte & Touche USA LLP
  • Ponemon Institute LLC }

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Threaded  |  Newest First  |  Oldest First
    Why Cyber-Risk Is a C-Suite Issue
    Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
    The Cold Truth about Cyber Insurance
    Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
    Black Hat Q&A: Hacking a '90s Sports Car
    Black Hat Staff, ,  11/7/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-5230
    PUBLISHED: 2019-11-13
    P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than Emily-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than NEO-AL00D NEO-AL00 9.1.0.321(C786E320R1P1T8) have an improper validation vulnerability. The system does not perform...
    CVE-2019-5231
    PUBLISHED: 2019-11-13
    P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.
    CVE-2019-5233
    PUBLISHED: 2019-11-13
    Huawei smartphones with versions earlier than Taurus-AL00B 10.0.0.41(SP2C00E41R3P2) have an improper authentication vulnerability. Successful exploitation may cause the attacker to access specific components.
    CVE-2019-5246
    PUBLISHED: 2019-11-13
    Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0.113(C00E110R1P21), 9.1.0.125(C00E120R1P21), 9.1.0.135(C00E130R1P21), 9.1.0.153(C00E150R1P21), 9.1.0.155(C00E150R1P21), 9.1.0.162(C00E160R2P1) have an insufficient verification vulnerability. The system does not verify certain par...
    CVE-2010-4177
    PUBLISHED: 2019-11-12
    mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.