Monthly Archives: March 2020

Is Your Company Ready for a Big Data Breach?

Larry Ponemon

The Seventh Annual Study: Is Your Company Ready for a Big Data Breach? sponsored by Experian Data Breach Resolution and conducted by Ponemon Institute tracks the steps companies are taking, or not taking, to respond to a data breach. According to the findings, since 2017 significantly more organizations are having data breaches, highlighting the importance of being prepared.

This year, we surveyed 650 professionals in the United States 456 in EMEA[1]. A comparison of the US and EMEA findings are presented in Part 3 of this report. All respondents work in IT and IT security, compliance and privacy and are involved in data breach response plans in their organizations. In the context of this research, we define a data breach as the loss or theft of information assets, including intellectual property such as trade secrets, contact lists, business plans and source code. Data breaches happen for various reasons including human errors and system glitches. They also happen as a result of malicious attacks, hactivism or criminal attacks that seek to obtain valuable data, disrupt business operation or tarnish reputation.

Organizations are challenged to respond to the loss or theft of confidential business information and intellectual property. Sixty-seven percent of respondents say their organizations are most concerned about the loss or theft of intellectual property. However,  since 2017 the ability to respond to a data breach involving this type of information has not improved significantly. Organizations are better able to respond to breaches that require notification to victims and regulators.

In this year’s research, we introduced the following new topics:

  • The maturity of organizations’ privacy and data protection program
  • The frequency, consequences and preparedness to deal with spear phishing attacks
  • The frequency, consequences and preparedness to deal with ransomware
  • The impact of the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) on data breach preparedness

The following findings describe organizations’ abilities to respond to a big data breach

Investments in security technologies are increasing to improve the ability to determine and respond quickly to a data breach. More data breaches are occurring. As a result, 68 percent of respondents say their organizations have increased their investments in security technologies in order to be able to detect and respond quickly to a data breach.

C-suite executives are more knowledgeable than the board of directors about data breach preparedness plans. The C-suite’s knowledge about the data breach preparedness plans is much higher than the board of directors (55 percent of respondents vs. 40 percent of respondents).

Most training and awareness programs are conducted when employees are hired. Seventy-two percent of respondents have a privacy and training program for employees and other stakeholders who have access to sensitive or confidential information. Almost half (49 percent of respondents) say training is conducted during the on-boarding of new employees.

Cyber insurance coverage is focused on attacks by cyber criminals and malicious or criminal insiders. About half of respondents (49 percent) say their organizations have a data breach and cyber insurance policy. Of the 51 percent of respondents who currently do not have a cyber insurance policy, 58 percent will purchase one within the next two years. Eighty-three percent of respondents say it covers incidents caused by cyber criminals and 65 percent of respondents say it covers malicious or criminal insiders. Only 38 percent of respondents say it covers human error, one of the major causes of a data breach.

Since 2017, the coverage of identity protection services to victims has increased significantly. The top areas of coverage are legal defense costs and identity protection and notification costs to data breach victims. Seventy-two percent of respondents say identity protection services are covered, an increase from 64 percent in 2017.

The primary benefit of sharing information about data breach experiences and incident response plans is collaborating with peers. Fifty-seven percent of respondents currently or are planning to participate in a sharing program about data breaches and incident response plans. The primary benefit is that it fosters collaboration among peers and industry groups.

Effectiveness of data breach response plans continues to improve. Since 2017, more respondents say their data breach response plans are very or highly effective. An increase from 49 percent of respondents to 57 percent of respondents. However, 66 percent of respondents say their organizations have not reviewed or updated the plan since it was put in place or have not set a specific time to review and update the plan. Only 26 percent of respondents say it is reviewed annually.

The majority of organizations practice responding to a data breach. Seventy-five percent of respondents say they practice their ability to respond to a data breach. Of these, 45 percent of respondents say they do this twice per year.

More organizations are regularly reviewing physical security and access to confidential information. The primary steps being taken to prepare for a data breach are regular reviews of physical security and access to confidential information (73 percent of respondents) and conducting background checks on new full-time employees and vendors (69 percent of respondents).

Organizations are not confident in their ability to minimize reputational consequences and prevent the loss of customers. To prevent the loss of customers, 62 percent of respondents believe credit monitoring protection for victims is the best protection for consumers and the most effective in keeping customers. However, only 23 percent of respondents say their organization is confident in its ability to minimize the financial and reputational consequences of a material data breach and only 38 percent of respondents say they are effective at doing what needs to be done following a material data breach to prevent the loss of customers’ and business partners’ trust and confidence.

Spear phishing attacks are pervasive and confidence in dealing with them is declining. Sixty-nine percent of respondents had one or more spear phishing attacks and 67 percent of respondents say the negative consequences of these attacks was very significant or significant. Despite the frequency of these attacks, 50 percent of respondents do not train their employees to recognize and minimize spear phishing incidents. Since 2017, respondents who say their organizations are very confident or confident in their ability to deal with spear phishing attacks has declined from 31 percent to 23 percent.

Respondents are even less confident in their ability to deal with ransomware. Only 20 percent of respondents are very confident in their ability. Thirty-six percent of respondents say their organizations had a ransomware attack. The average ransom was $6,128 and 68 percent of respondents say it was paid.

More breaches are international or global in scope and only 34 percent of respondents say they are confident in their organizations’ ability to respond to these breaches. As discussed previously, 63 percent of respondents say their organization had a data breach in the past two years. Forty-five percent of respondents say one more of these breaches were global. Since 2017, respondents reporting that their incident response plan includes processes to manage an international data breach increased significantly from 54 percent to 64 percent. Fifty-seven percent say the plan is specific to each location it operates.

Now that the General Data Protection Regulation (GDPR) has been in effect for more than a year, organizations have improved their ability to comply with it. Fifty-four percent of respondents say they have a high or very high ability to comply with the regulation (an increase from 36 percent) and 50 percent of respondents have a high or very high effectiveness in complying with the data breach notification rules (an increase from 23 percent). Having the necessary security technologies in place to detect the occurrence of a data breach quickly is the number one reason for being effective.

CCPA results in organizations having to make comprehensive changes in business practices. Fifty-six percent of respondents say they are aware of the CCPA and of these respondents, 47 percent of respondents say they are subject to the Act. The top two challenges to compliance with the CCPA are similar to achieving compliance with the GDPR, which are the need to change business practices and not enough budget to hire additional staff.

Lessons learned from organizations with a mature privacy and data protection program

The report presents a special analysis on how the maturity of organizations’ privacy and data protection programs can affect data breach preparedness. Nineteen percent of respondents self-reported that their organization have a mature program, which means that activities are fully defined, maintained across the enterprise and measured with KPIs. In addition, C-level executives are regularly informed about the program’s effectiveness. The following findings are persuasive in showing how making the needed investments to achieve maturity will improve data breach preparedness.

  • Mature privacy and data protection programs have fewer data breaches. Fifty-five percent of respondents in mature programs say their organizations had a data breach in the past two years. In contrast, a minimum of 60 percent of respondents in the other levels of maturity report having a data breach.
  • Mature programs are more adept at preventing negative public opinion and media coverage. Fifty-five percent of respondents say they are effective in managing the risk of negative opinions and media coverage following a material data breach. In contrast, only 37 percent of respondents in programs that are in the middle stage say they are effective.
  • More mature programs represented in this study are increasing investments in security technologies to be able to detect and respond quickly to a data breach.
  • Mature programs are more likely to participate in sharing information about their data breach and incident response experiences with government and industry peers.
  • Mature programs are better prepared to manage an international data breach. Seventy-one percent of respondents in mature programs say their incident response plan includes processes to manage an international data breach.

 For the full results, visit Experian’s website 

Coronavirus could be a tipping point (finally) for telecommuting

Bob Sullivan

Since the 1973 oil embargo, and the nearly concurrent coining of the term “gridlock,” Americans have mused about telecommuting as the solution to many modern ills. When high-speed Internet began making its way into homes in the late 1990s, telecommuting seemed on the verge of a breakout. Why waste time in traffic jams when email can get to your home office just as quickly?  The promise of returning 10 or so hours each week to workers — not to mention dramatic potential savings in office rental costs — sounded irresistible.

Instead, managers seemed too attached to the physical presence of their employees, and some employees wondered if their stay-at-home co-workers were really getting much done in their jammies.  A bit of a backlash emerged after the turn of the century, reaching its apex when Yahoo CEO Marissa Meyer effectively killed that company’s work from home program.

So much for leaving rush-hour traffic behind.

Today, a scant 3 percent of Americans telecommute most of the time, according to FlexJobs. That means just about as many Americans will suffer through daily “extreme commutes” — lasting more than 90 minutes, each way — as will take advantage of full-time telecommuting.

The Coronavirus might finally change that.

In reaction to the outbreak’s foothold in Seattle, big tech companies in the Pacific Northwest have quickly adopted telecommuting plans.  Microsoft, Amazon, Facebook, and Google have all told employees to work from home whenever possible, and to stay there for most of March.  So has King County, the local government in the Seattle area.  Fred Hutchinson Cancer Research Center told many of its employees they have no choice — they must work at home.

Early 2020 might turn into a forced social experiment that could finally answer the question: Do we need rush hour any more?

“While about 50% of people work from home at least half the week on a regular basis, we still see that only about 3-4% work from home full-time. Now, because of the coronavirus, we’re seeing a real focus on remote work that may very well be a tipping point in terms of wider-spread adoption of full-time remote work,” said Brie Weiler Reynolds, Career Development Manager and Coach at FlexJobs. “It seems that, in this latest situation, companies have more easily jumped to remote work as one big solution to keep employees safe, maintain continuity of operations, and handle the uncertainty day by day.”

Of course, not everyone can work from home. Bus drivers and security workers, for example, must remain at their posts. The Seattle Times has an important story about this newly and rapidly forming digital divide.  That group cannot be ignored in this social experiment.

But it’s hard not to imagine Seattle companies might get used to all those empty desks, not to mention emptier highways, and with new work patterns in place, find a way to continue their ad-hoc work-from home arrangements long-term. It’s a stretch to look for silver linings in today’s climate, but climate researchers have found one when looking at China. Air pollution has plummeted there during the crisis.   It’s easy to imagine that kind of unintended consequence in Seattle as well, as thousands of cars are taken off the road and gridlock is reduced.

Widespread adoption of telecommuting holds out big promises, FlexJobs says: 124 billion fewer car miles driven annually, 8 billion fewer trips, an $8 billion reduction in auto accident costs, 54 million tons less greenhouse gas emissions.

While most companies are sensibly making only short-term plans right now, Weiler expects virus-related work-from-home arrangements will probably last well past the end of March.

“Because the virus’s threat is ongoing and it’s hard to predict how long things may stay this way, we may see companies using remote work daily for the coming weeks or months, and realizing that it’s actually a productive, effective way to work over a long term basis,” she said.