The Seventh Annual Study: Is Your Company Ready for a Big Data Breach? sponsored by Experian Data Breach Resolution and conducted by Ponemon Institute tracks the steps companies are taking, or not taking, to respond to a data breach. According to the findings, since 2017 significantly more organizations are having data breaches, highlighting the importance of being prepared.
This year, we surveyed 650 professionals in the United States 456 in EMEA[1]. A comparison of the US and EMEA findings are presented in Part 3 of this report. All respondents work in IT and IT security, compliance and privacy and are involved in data breach response plans in their organizations. In the context of this research, we define a data breach as the loss or theft of information assets, including intellectual property such as trade secrets, contact lists, business plans and source code. Data breaches happen for various reasons including human errors and system glitches. They also happen as a result of malicious attacks, hactivism or criminal attacks that seek to obtain valuable data, disrupt business operation or tarnish reputation.
Organizations are challenged to respond to the loss or theft of confidential business information and intellectual property. Sixty-seven percent of respondents say their organizations are most concerned about the loss or theft of intellectual property. However, since 2017 the ability to respond to a data breach involving this type of information has not improved significantly. Organizations are better able to respond to breaches that require notification to victims and regulators.
In this year’s research, we introduced the following new topics:
- The maturity of organizations’ privacy and data protection program
- The frequency, consequences and preparedness to deal with spear phishing attacks
- The frequency, consequences and preparedness to deal with ransomware
- The impact of the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) on data breach preparedness
The following findings describe organizations’ abilities to respond to a big data breach
Investments in security technologies are increasing to improve the ability to determine and respond quickly to a data breach. More data breaches are occurring. As a result, 68 percent of respondents say their organizations have increased their investments in security technologies in order to be able to detect and respond quickly to a data breach.
C-suite executives are more knowledgeable than the board of directors about data breach preparedness plans. The C-suite’s knowledge about the data breach preparedness plans is much higher than the board of directors (55 percent of respondents vs. 40 percent of respondents).
Most training and awareness programs are conducted when employees are hired. Seventy-two percent of respondents have a privacy and training program for employees and other stakeholders who have access to sensitive or confidential information. Almost half (49 percent of respondents) say training is conducted during the on-boarding of new employees.
Cyber insurance coverage is focused on attacks by cyber criminals and malicious or criminal insiders. About half of respondents (49 percent) say their organizations have a data breach and cyber insurance policy. Of the 51 percent of respondents who currently do not have a cyber insurance policy, 58 percent will purchase one within the next two years. Eighty-three percent of respondents say it covers incidents caused by cyber criminals and 65 percent of respondents say it covers malicious or criminal insiders. Only 38 percent of respondents say it covers human error, one of the major causes of a data breach.
Since 2017, the coverage of identity protection services to victims has increased significantly. The top areas of coverage are legal defense costs and identity protection and notification costs to data breach victims. Seventy-two percent of respondents say identity protection services are covered, an increase from 64 percent in 2017.
The primary benefit of sharing information about data breach experiences and incident response plans is collaborating with peers. Fifty-seven percent of respondents currently or are planning to participate in a sharing program about data breaches and incident response plans. The primary benefit is that it fosters collaboration among peers and industry groups.
Effectiveness of data breach response plans continues to improve. Since 2017, more respondents say their data breach response plans are very or highly effective. An increase from 49 percent of respondents to 57 percent of respondents. However, 66 percent of respondents say their organizations have not reviewed or updated the plan since it was put in place or have not set a specific time to review and update the plan. Only 26 percent of respondents say it is reviewed annually.
The majority of organizations practice responding to a data breach. Seventy-five percent of respondents say they practice their ability to respond to a data breach. Of these, 45 percent of respondents say they do this twice per year.
More organizations are regularly reviewing physical security and access to confidential information. The primary steps being taken to prepare for a data breach are regular reviews of physical security and access to confidential information (73 percent of respondents) and conducting background checks on new full-time employees and vendors (69 percent of respondents).
Organizations are not confident in their ability to minimize reputational consequences and prevent the loss of customers. To prevent the loss of customers, 62 percent of respondents believe credit monitoring protection for victims is the best protection for consumers and the most effective in keeping customers. However, only 23 percent of respondents say their organization is confident in its ability to minimize the financial and reputational consequences of a material data breach and only 38 percent of respondents say they are effective at doing what needs to be done following a material data breach to prevent the loss of customers’ and business partners’ trust and confidence.
Spear phishing attacks are pervasive and confidence in dealing with them is declining. Sixty-nine percent of respondents had one or more spear phishing attacks and 67 percent of respondents say the negative consequences of these attacks was very significant or significant. Despite the frequency of these attacks, 50 percent of respondents do not train their employees to recognize and minimize spear phishing incidents. Since 2017, respondents who say their organizations are very confident or confident in their ability to deal with spear phishing attacks has declined from 31 percent to 23 percent.
Respondents are even less confident in their ability to deal with ransomware. Only 20 percent of respondents are very confident in their ability. Thirty-six percent of respondents say their organizations had a ransomware attack. The average ransom was $6,128 and 68 percent of respondents say it was paid.
More breaches are international or global in scope and only 34 percent of respondents say they are confident in their organizations’ ability to respond to these breaches. As discussed previously, 63 percent of respondents say their organization had a data breach in the past two years. Forty-five percent of respondents say one more of these breaches were global. Since 2017, respondents reporting that their incident response plan includes processes to manage an international data breach increased significantly from 54 percent to 64 percent. Fifty-seven percent say the plan is specific to each location it operates.
Now that the General Data Protection Regulation (GDPR) has been in effect for more than a year, organizations have improved their ability to comply with it. Fifty-four percent of respondents say they have a high or very high ability to comply with the regulation (an increase from 36 percent) and 50 percent of respondents have a high or very high effectiveness in complying with the data breach notification rules (an increase from 23 percent). Having the necessary security technologies in place to detect the occurrence of a data breach quickly is the number one reason for being effective.
CCPA results in organizations having to make comprehensive changes in business practices. Fifty-six percent of respondents say they are aware of the CCPA and of these respondents, 47 percent of respondents say they are subject to the Act. The top two challenges to compliance with the CCPA are similar to achieving compliance with the GDPR, which are the need to change business practices and not enough budget to hire additional staff.
Lessons learned from organizations with a mature privacy and data protection program
The report presents a special analysis on how the maturity of organizations’ privacy and data protection programs can affect data breach preparedness. Nineteen percent of respondents self-reported that their organization have a mature program, which means that activities are fully defined, maintained across the enterprise and measured with KPIs. In addition, C-level executives are regularly informed about the program’s effectiveness. The following findings are persuasive in showing how making the needed investments to achieve maturity will improve data breach preparedness.
- Mature privacy and data protection programs have fewer data breaches. Fifty-five percent of respondents in mature programs say their organizations had a data breach in the past two years. In contrast, a minimum of 60 percent of respondents in the other levels of maturity report having a data breach.
- Mature programs are more adept at preventing negative public opinion and media coverage. Fifty-five percent of respondents say they are effective in managing the risk of negative opinions and media coverage following a material data breach. In contrast, only 37 percent of respondents in programs that are in the middle stage say they are effective.
- More mature programs represented in this study are increasing investments in security technologies to be able to detect and respond quickly to a data breach.
- Mature programs are more likely to participate in sharing information about their data breach and incident response experiences with government and industry peers.
- Mature programs are better prepared to manage an international data breach. Seventy-one percent of respondents in mature programs say their incident response plan includes processes to manage an international data breach.
For the full results, visit Experian’s website