Even though organizations know about the importance of data breach preparedness with 86% of companies having a data breach response plan in 2016 versus 61% in 2013, a recent study by the Ponemon Institute shows that they’re far from implementing their plans in a way that helps them weather the storm if breach happens.
Some of the study’s findings include the fact that:
- 38% of organizations don’t have a set time for reviewing and updating their data breach plans.
- 29% have not reviewed or updated their plan since it was put in place.
- 26% of organizations don’t practice their plan and 64% don’t practice it because it is not a priority.
- Only 39% of organizations practice their plan at least twice a year.
- 27% of organizations are confident in their ability to minimize the financial and reputational consequences of a breach.
- 31% lack confidence in dealing with an international incident.
- Only 38% of companies have a data breach or cyber insurance policy and of those that do not have such a policy, 40% don’t plan on purchasing one.
- 46% of organizations, so less than half, have integrated response plans into their business continuity plans.
- Only 12% of organizations meet with law enforcement or state regulators in advance of an incident.
Having a data breach response plan alone doesn’t make organizations prepared. In order for preparedness to take place, organizations must involve an ongoing process with it that includes regular reviews of the plan and practice drills to ensure the plan works, especially with new threats companies are facing such as ransomware.
- The Ponemon Institute study shows that 56% of organizations are not confident that they could deal with a ransomware incident.
- Only 9% have determined under what circumstances they would pay to resolve a ransomware incident.
The reason for investing in breach preparedness in a way that makes it effective is like planning for a natural disaster; it’s so that a company can get through the storm and avoid sure death. If companies are just checking off a box from their security list, but aren’t doing anything else with their response plans; they are no safer from old or new threats than they were without a plan.
Some good news from the study though is the fact that organizations are showing an increase in the level of preparedness.
- 58% of companies have increased their investment in security technologies in the past 12 months to be able to detect and respond to breach compared to 48% in 2014.
- 61% of organizations have a privacy/data protection awareness and training program for employees and stakeholders who have access to sensitive or confidential personal information compared to 44% in 2013.
- Also, organizations understand the importance of taking action after a breach occurs to keep customers and maintain their reputation. 71% are providing free identity theft protection and credit monitoring services as their approach, while 45% are offering gift cards and 40% provide discounts on their products or services.
If organizations are going to get serious about data breach preparedness they need to stop treating security as something separate from their business process and operations. Executives need to see security as a priority, an ongoing process, and a process that is part of running their business. Essentially, data security needs to become part of the company’s DNA so to speak.
How long has it been since you’ve tested your data breach response plan? Better yet, do you have a plan in place?
If you’re not sure where you stand on data breach preparedness, give us a call. Schedule your free data security consultation so that we can help you weather a data breach storm and avoid becoming the next Target or Yahoo.
Photo courtesy of Tashatuvango