The survey of 500 IT professionals who had experienced a data breach at their organization also found that 60% of respondents said the customer data that was lost or stolen was not encrypted.
“Something that was eye-opening was the fact that quite a few of the breaches could have been prevented”, said Ozzie Fonseca, senior director at Experian Data Breach Resolution. He told Infosecurity that data encryption could have gone a long way in preventing many of the breaches. “In this day and age, I find it difficult to understand why a company would have sensitive information that was not encrypted”, he added.
Examples of the types of data that companies lost included, email (70%), credit card or bank payment information (45%), and social security numbers (33%).
The cause of the breach was the result of a negligent insider for 34% of respondents, outsourcing of data to a third party for 19% of respondents, and a malicious insider for 16%. Where a negligent insider was the cause of a breach, “a simple training program could have prevented it”, Fonseca said.
The majority of respondents (66%) said that the experience of investigating the causes of a breach will help them in determining the root causes of future incidents.
Following the data breach, 61% of respondents said their organizations increased their security budget and 28% hired additional IT security staff.
“What we are seeing is that things that should have been done as a matter of course…became the focus only after the breach happened”, Fonseca observed.
When it came to reducing the negative consequences of the data breach, retaining outside legal counsel (56%) and carefully assessing the harm to victims (50%) ranked as the highest priorities.
At the same time, 73% of respondents said their organization did not offer identity protection products or services such as credit monitoring and other identity theft protection measures, including fraud resolution, scans, and alerts, to victims.
“Although companies felt responsible for the event and wanted to do the right thing by educating employees and increasing IT budgets, more than 70% of the companies neglected to also consider the victims well-being by providing some type of protection product”, Fonseca said.