A recent study by an independent research institute suggests that the increase in companies’ efforts to prepare for data breaches may not be keeping up with the increased risk. A September 2014 report by Ponemon Institute LLC concludes that many companies remain “deficient in governance and security practices that could strengthen their data breach preparedness.”
Key points from the Ponemon report…
In its second annual study on data breach preparedness, Ponemon (a self-described “research think tank dedicated to advancing privacy and data protection practices”) made the following observations:
- The percentage of survey-respondent companies with data breach plans in place has increased to 73%, which is certainly a positive development.
- Unfortunately, data breaches are increasing in frequency by an even faster rate.
- The percentage of respondents with data breach or cyber security insurance policies more than doubled from 2013 to 2014 to 26%. (See this Doug’s Note for more on cyber security insurance.)
- Preparedness programs often fail to address all consequences of a breach, including such things as negative public opinion or media reports, loss of customer and business partner confidence, loss of confidential information and intellectual property and notification of victims and regulators.
- Despite the existence of breach preparedness plans, only 30% of respondents believed theirs is effective.
- Many respondents reported that their preparedness plans have been largely ignored after they were developed. Reviewing, updating and practicing a preparedness plan is spotty.
- Only 29% say their board of directors and CEO are “informed and involved” in plans to deal with a breach.
- Only 36% say that their leadership has asked to be notified immediately if a material breach occurs.
- Less than half of respondents have invested in technology to detect and respond to a breach.
- Three quarters of respondents believe that “fire drills” are the most effective way to enhance the response process.
- Employee training needs to be improved.
The Ponemon study highlights that, with data breaches occurring with increasing regularity, it is not enough to simply adopt a preparedness plan. A plan without effective implementation and ongoing updating is only marginally better than no plan at all.