Despite the escalating number of data breaches and the seemingly non-stop headlines that they generate, UK businesses are unprepared, unconcerned for the consequences and seemingly nonchalant about consumer impact in the wake of an incident.
According to Experian’s study, Data Breach Readiness 2.0: The Customer First Data Breach Response, (34%) of UK businesses have no data breach response plan in place at all. Of those that do, a quarter of these plans do not include specialist crisis communications (23%) or legal support (27%).
And, despite the focus on tracking down culprits and assigning attribution to incidents, more than a third (37%) of respondents had not included or considered digital forensics.
Worse, only one third have specific budgets set aside to deal with data breaches, in spite of 81% saying they are concerned about the financial impact of recovering from a breach.
Also, 39% have no reporting procedures in place for lost data or devices (e.g. company laptops or phones), and less than half (43%) have data breach or cyber insurance policies in place.
The results come against a backdrop of another significant finding: almost one-fifth of UK businesses have suffered at least one data breach in the last two years, with a staggering 40% of British consumers affected. Also, two-thirds (64%) of consumers are concerned about falling victim in the future.
“With unprecedented levels of personally identifiable information being illegally traded online, the ever increasing sophistication of cybercrime means the potential impact on consumers, if their information is compromised, has never been greater,” the report noted.
This has ramifications for the aftermath of a breach for companies. Most notably, it is evidenced that consumers are less understanding and less willing to see organizations affected by data breaches as ‘victims.’ Rather, they increasingly believe that data breaches come as a result of the organizations’ own failures—failures in procedures, security and data controls.
In fact:
84% think companies should be penalized for compromising their customers' personal information.
83% think companies should be subject to increased regulation to better protect customers.
80% say their level of trust would decrease if a company lost their personal data.
67% would advise friends and family against the organization.
63% say they are likely to leave an organization if a data breach occurred.
While preparedness levels were seen to be notably higher among organizations that have been affected by a breach in the past, 57% go on to be affected again within just two years.
Even so, given the lack of preparedness, it appears that UK organizations are failing to recognize and mitigate these risks. And further, many of them are taking a laissez-faire approach to taking care of their customers.
Less than half of organizations (47%) would notify customers ‘as quickly as possible’ following a data breach. Less than a quarter (21%) would offer an identity protection service to existing customers, and only one in 10 would offer a free credit monitoring service.
“The prevalence and severity of data breach incidents will continue to accelerate, as will the volume of reported cases,” said Amir Goshtai, managing director at Affinity Experian Consumer Services. “When coupled with the potential for greater regulation, increased consumer awareness and widespread media coverage, it has never been more important for organizations to be well prepared. And at the heart of any plan needs to be an unwavering focus minimizing the impact on their customers."