With data breaches continuing to increase in frequency and severity, it comes as no surprise that businesses are acknowledging this risk as a top concern and priority. Nearly half of organizations surveyed report having a data breach involving the loss or theft of more than 1,000 records containing sensitive or confidential information in the past two years. And the frequency of data breaches is increasing. Sixty-three percent of these respondents report their company had two or more breaches in the past two years.
However, the enclosed findings from our Third Annual Study: Is Your Company Ready for a Big Data Breach sponsored by Experian® Data Breach Resolution, illustrate that many companies still lack confidence in their ability to manage these issues and execute their data breach response plan. We surveyed 604 executives and staff employees who work primarily in privacy and compliance in the United States.
Since 2013, we have tracked changes in how confident companies are in responding to a data breach. This year, we took our analysis a step further by digging into what companies are specifically including in their data breach response plans to get to the root cause of why their confidence is lacking and the areas where they struggle to follow best practices.
As shown in Figure 1, of the 81 percent of respondents who say their company has a plan, only 34 percent say these plans are very
effective or effective. This is a slight increase from 30 percent in 2014. Thus, major gaps remain in how they are comprehensively preparing for a data breach.
Specifically, organizations aren’t taking into account the full breadth of procedures that need to be incorporated in the response plan
and aren’t considering the wide variety of security incidents that can happen. The good news is some of the barriers to addressing
those issues can be easily solved.
Some of the key findings we uncovered from this year’s survey include:
Data breaches are more concerning than product recalls and lawsuits. A majority of business leaders acknowledge the potential damage data breaches can cause to corporate reputation is significant. They ranked a data breach second only to poor customer service and ahead of product recalls, environmental incidents and publicized lawsuits. The combination of the higher likelihood and significant impact has caused data breaches to be a major issue across all sectors.
Data breach preparedness sees increased awareness from senior leadership. Boards of directors, chairmen and CEOs have become more involved and informed in the past 12 months about their companies’ plans to deal with a possible data breach. In 2014, only 29 percent of
respondents said their senior leadership were involved in data breach preparedness. This year, perhaps due to recent mega breaches, 39 percent of respondents say their boards, chairmen and CEOs are involved at a high level. Most interesting is their participation in a high level review of
the data breach response plan in place increased from 45 percent to 54 percent of respondents.
Significant increase in response plans over three years. As discussed above, this year more companies have a baseline data breach response plan in place. Since first conducting this study in 2013, the percentage of organizations that reported having a data breach response plan
increased from 61 percent to 81 percent. However, it is surprising that still not all companies are taking the basic step of developing a data breach response plan.
Many are still struggling in terms of feeling confident in their ability to secure data and manage a breach. Figure 1 above shows only 34 percent of respondents say their organizations’ data breach response plan is very effective or effective. Despite increased security investments and incident response planning, when asked in detail about the preparedness of their
organization, many senior executives are not confident in how they would handle a real-life issue.
Following are reasons for rating these plans as not as effective as they should be:
- Forty-one percent of respondents say their organization is not effective or unsure about the effectiveness of their data breach response plan.
- Only 28 percent of respondents rate their organization’s response plan as effective in reducing the likelihood of lawsuits; and only 32 percent rate their response plan as effective for protecting customers.
Executives are concerned about their ability to respond to a data breach involving confidential information and intellectual property.
- Only 39 percent report they are prepared to respond to this type of incident.
- Only 32 percent of organizations report they understand what needs to be done following a material data breach to prevent negative public opinion.
- Only 28 percent of organizations are confident in its ability to minimize the financial and reputational consequences of a material breach.