Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

07:00 AM
Connect Directly

Incident Response: Having a Plan Isn't Enough

Data shows organizations neglect to review and update breach response plans as employees and processes change, putting data at risk.

Businesses are slowly improving their data breach plans, but lack of executive involvement, failure to review and update plans, and regulatory and compliance challenges prevent them from being able to respond to security incidents with increasingly severe consequences.

A new study – entitled "Is Your Company Ready for a Big Data Breach?" – conducted by the Ponemon Institute and commissioned by Experian, polled 643 professionals in IT and IT security on their organizations' data breach response practices.

They learned 52% of respondents rate their response plans as "very effective," slightly up from 49% one year prior and 42% in 2016. Still, only 36% feel sufficiently prepared to respond to incidents involving business confidential information and intellectual property.

It's slow-going progress at a time when more businesses are disclosing breaches and realizing their far-reaching effects. Nearly 60% of respondents reported a data breach in 2018. Of those, 73% reported multiple. Incidents are causing greater financial damage: A 2018 Ponemon study showed the average consolidated cost of a breach is $3.86 million. Fear of reputational damage is also top-of-mind among 27% of respondents who believe a breach would tarnish their brands.

Most (92%) companies have a data breach notification plan in place. The problem is, most companies with a breach response plan fail to adapt to change. Forty-two percent of respondents have "no set time period" for reviewing and updating their response plans, and 23% haven't reviewed or updated their plans since it was put in place – "which may be years at a time," says Michael Bruemmer, vice president of data breach resolution at Experian.

"Where we see simple mistakes being made it, the plan is set on the shelf and done once, then employees and processes change and they don't update the plan," he explains. "In data breach response, timing and accuracy of information is really important."

It's one thing to have a good response, but there's a great penalty if your company suffers multiple security incidents and doesn't alter its plan to reflect what was learned from them. It should regularly follow up, update the plan, and practice the process of incident response, researchers note in the report.

Unpacking Response Plans
Which incidents do companies plan for? Most (87%) plans include guidance on how to handle a distributed denial-of-service (DDoS) attack that could cause system outage, 80% address loss or theft of personally identifiable information (PII), and 79% address loss or theft of data on customer associations that could lead to brand damage. About three-quarters include guidance on loss or theft of payment data; 73% address loss or theft of intellectual property or confidential business data.

"Many companies are among those that recognize the sensitive PII in their possession and know they are an attractive target," Bruemmer says. They know they need to have a plan regardless of whether they've already been hit. Still, "a vast number of businesses only learn that their company needs to have a plan in place once the security incident occurs," he adds.

Bruemmer advises organizations to form a data privacy program or job-specific security or privacy training program for employees who have access to PII and other sensitive information. Twenty-seven percent of businesses don't have this type of program, he adds, and people who have admin access and handle PII should be trained on how to avoid cyberattacks.

"The blanket approach that everyone takes the same training ... that used to be the norm five years ago. That can't be the norm now," he explains.

Breach Response's Biggest Burdens
Cloud complicates breach response, researchers report. Sixty-three percent say lack of visibility into end users' data access is their biggest barrier in improving breach response. Sixty percent say the proliferation of cloud services is another major challenge, and 43% are concerned about the lack of security process for third parties that handle their corporate data.

Lack of expertise may have fallen in fourth place, listed among only 37% as a barrier to breach response, but more people have cited this as an obstacle over the years. Less than one-third worried about lack of expertise in the 2017 survey, which was up from 29% the year prior.

Some types of security incidents pose a greater challenge than others. Only 21% of respondents expressed confidence in their ability to handle ransomware attacks, and 24% said the same for spear-phishing, researchers found. Less than half (47%) educate employees on spear-phishing.

Organizations also face compliance and regulatory challenges, Bruemmer points out. The EU's General Data Protection Regulation (GDPR) went into effect in May 2018; since then, 59% of respondents report their organizations' plans now include processes to handle an international data breach, up from 51% in 2016. However, GDPR rules are tough to comply with, and only 36% of companies say they have a high ability to comply with the data breach notification rules.

It's Time for Execs to Chip In
Senior leadership's involvement in breach response is "mostly reactive." C-suite and board members mostly want to know whether a material breach took place and generally don't know about the specific security threats to their organizations. Only 22% of respondents say the C-suite regularly participates in response plan reviews; 10% say the same for board members.

About half (49%) of respondents say executives don't know about response plans, and 81% think their response plans would be more effective with executive involvement. They also cite a need for more drills to practice incident response and for more skilled infosec employees.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
PUBLISHED: 2019-12-12
In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf ...
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table att...
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of...