Businesses are slowly improving their data breach plans, but lack of executive involvement, failure to review and update plans, and regulatory and compliance challenges prevent them from being able to respond to security incidents with increasingly severe consequences.
A new study – entitled "Is Your Company Ready for a Big Data Breach?" – conducted by the Ponemon Institute and commissioned by Experian, polled 643 professionals in IT and IT security on their organizations' data breach response practices.
They learned 52% of respondents rate their response plans as "very effective," slightly up from 49% one year prior and 42% in 2016. Still, only 36% feel sufficiently prepared to respond to incidents involving business confidential information and intellectual property.
It's slow-going progress at a time when more businesses are disclosing breaches and realizing their far-reaching effects. Nearly 60% of respondents reported a data breach in 2018. Of those, 73% reported multiple. Incidents are causing greater financial damage: A 2018 Ponemon study showed the average consolidated cost of a breach is $3.86 million. Fear of reputational damage is also top-of-mind among 27% of respondents who believe a breach would tarnish their brands.
Most (92%) companies have a data breach notification plan in place. The problem is, most companies with a breach response plan fail to adapt to change. Forty-two percent of respondents have "no set time period" for reviewing and updating their response plans, and 23% haven't reviewed or updated their plans since it was put in place – "which may be years at a time," says Michael Bruemmer, vice president of data breach resolution at Experian.
"Where we see simple mistakes being made it, the plan is set on the shelf and done once, then employees and processes change and they don't update the plan," he explains. "In data breach response, timing and accuracy of information is really important."
It's one thing to have a good response, but there's a great penalty if your company suffers multiple security incidents and doesn't alter its plan to reflect what was learned from them. It should regularly follow up, update the plan, and practice the process of incident response, researchers note in the report.
Unpacking Response Plans
Which incidents do companies plan for? Most (87%) plans include guidance on how to handle a distributed denial-of-service (DDoS) attack that could cause system outage, 80% address loss or theft of personally identifiable information (PII), and 79% address loss or theft of data on customer associations that could lead to brand damage. About three-quarters include guidance on loss or theft of payment data; 73% address loss or theft of intellectual property or confidential business data.
"Many companies are among those that recognize the sensitive PII in their possession and know they are an attractive target," Bruemmer says. They know they need to have a plan regardless of whether they've already been hit. Still, "a vast number of businesses only learn that their company needs to have a plan in place once the security incident occurs," he adds.
Bruemmer advises organizations to form a data privacy program or job-specific security or privacy training program for employees who have access to PII and other sensitive information. Twenty-seven percent of businesses don't have this type of program, he adds, and people who have admin access and handle PII should be trained on how to avoid cyberattacks.
"The blanket approach that everyone takes the same training ... that used to be the norm five years ago. That can't be the norm now," he explains.
Breach Response's Biggest Burdens
Cloud complicates breach response, researchers report. Sixty-three percent say lack of visibility into end users' data access is their biggest barrier in improving breach response. Sixty percent say the proliferation of cloud services is another major challenge, and 43% are concerned about the lack of security process for third parties that handle their corporate data.
Lack of expertise may have fallen in fourth place, listed among only 37% as a barrier to breach response, but more people have cited this as an obstacle over the years. Less than one-third worried about lack of expertise in the 2017 survey, which was up from 29% the year prior.
Some types of security incidents pose a greater challenge than others. Only 21% of respondents expressed confidence in their ability to handle ransomware attacks, and 24% said the same for spear-phishing, researchers found. Less than half (47%) educate employees on spear-phishing.
Organizations also face compliance and regulatory challenges, Bruemmer points out. The EU's General Data Protection Regulation (GDPR) went into effect in May 2018; since then, 59% of respondents report their organizations' plans now include processes to handle an international data breach, up from 51% in 2016. However, GDPR rules are tough to comply with, and only 36% of companies say they have a high ability to comply with the data breach notification rules.
It's Time for Execs to Chip In
Senior leadership's involvement in breach response is "mostly reactive." C-suite and board members mostly want to know whether a material breach took place and generally don't know about the specific security threats to their organizations. Only 22% of respondents say the C-suite regularly participates in response plan reviews; 10% say the same for board members.
About half (49%) of respondents say executives don't know about response plans, and 81% think their response plans would be more effective with executive involvement. They also cite a need for more drills to practice incident response and for more skilled infosec employees.
- Bounty Hunters Find 100K+ Bugs Under HackerOne Program in 2018
- CrowdStrike Debuts Mobile Threat Detection System at RSA Conference
- Here's What Happened When a SOC Embraced Automation
- 6 Tips for Getting the Most from Your VPN
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.