eBay. Home Depot. Target. And on and on. With data breaches making headlines the world over, it may seem that data breaches are becoming ubiquitous—and to a certain extent, they are. Almost half (43%) of organizations in a recent survey from Experian Data Breach Resolution and Ponemon Institute said that they have suffered at least one security incident, up 10% from 2013.
And, given the state of detection systems (i.e., inadequate, as we’ve seen in the latest TripAdvisor/Viator breach), actual instances are probably under-reported. “The finding that 43% of companies have experienced a data breach in the past year seems low,” said John Prisco, CEO at Triumfant, in a comment to Infosecurity. “Most companies don't have sensitive enough tools to know when they are breached. Not to mention, in-memory attacks are on the rise and most companies have no way to discover and remediate in-memory attacks.”
The flip side of this is that awareness for data security is at an all-time high and more companies are preparing with a data breach response plan. The study, found that the publicity has translated into companies understanding the importance of data breach preparedness, with more companies putting a data breach response plan in place than ever before (73%). That’s up 12% from 2013.
And, 48% of organizations have increased investments in security technologies in the past 12 months. And, respondents are thinking about post-breach mitigation too: they ranked identity theft protection products and access to a call center as the two most important services a company should provide customers following a breach.
"Compared to last year's study results, survey findings show encouraging signs that organizations are beginning to better prioritize data breach prevention, but more needs to be done," said Larry Ponemon, chairman and founder of the Ponemon Institute, in a statement.
However, he had a caveat: "Companies should be careful of not becoming complacent because they have a response plan in place or just completed a security audit. Preparedness requires ongoing maintenance and diligence."
And indeed, most haven't or don't regularly update their plan (78%) to account for changes in threats or as processes at a company change.
Interestingly, confidence amongst senior executives to manage a data breach remains low. Despite increased security investment and having incident response plans in place, when asked in detail about the preparedness of their organization, 68% of respondents felt unprepared to respond to a data breach. A full 30% of respondents felt their data breach response plan was flat-out ineffective.
Concerns are not just operational. Many companies were more concerned about threats being harder to manage for IT security teams. That’s especially true in the cloud era.
“Historical methods of preparation don’t seem to apply anymore,” said Gerry Grealish, CMO at Perspecsys, told Infosecurity. “Cyber-criminals are finding new and inventive ways to attack companies to get their data, whether it resides on internal systems or the systems of third-party solution providers, like cloud applications.”
In the study, 77% suggested more fire-drills to practice data breach response would help them be more prepared. And, 69% indicated additional funding as a major need to improve response activity. And the vast majority of executives (70%) surveyed also want more oversight and participation from board members, chairman and CEO for data-breach preparedness.
"While more organizations have data breach preparedness on their radar and have developed a response plan, a majority of companies are not putting the support and resources behind having it truly be effective," said Michael Bruemmer, vice-president of Experian Data Breach Resolution. "A checklist response plan alone doesn't mean you're prepared. There should be an incident response team in place that practices the plan and ongoing investment from the C-suite to ensure technologies are up-to-date, external breach experts are secured, and selection of an identity protection product for affected customers is determined prior to an incident to ensure a quick and smooth response."