Recently there has been an annual study published by Ponemon Institute (sponsored by Experian) entitled “Is Your Company Ready for a Big Data Breach?”. The study looks at the state of breach preparedness across organisations over a period of a year,
with this year’s study focussing particularly on the value of Business Continuity Management and crisis management plans that aim to minimise the consequences of a data breach. Business Continuity Management plans look to implement systems that prevent and respond to a data breach in order to limit the impact they have on an organisation. Another aim of BCM’s is to enable certain operations to take place before and during the resolution of the data breach. A crisis management plan however is put in place to outline how an organisation should respond to a data breach in order to minimise the long-term damage they can cause. In the study, cyberattacks are the number one crisis they cover (46% of respondents), with data breaches being the second (44% of respondents). Those conducting the study surveyed 605 professionals in the US and 465 in EMEA1. All of the individuals surveyed work in IT and IT security, compliance and privacy, and are involved in data breach preparedness in their organisations. Below I’ll be outlining some of the key findings of the study, however if you wish to read the whole thing, I’ll provide a link at the end which will take you to the Experian page where you can download the full report.
The first finding of the study involves spear-phishing and ransomware attacks. Whilst the total number of these attacks have increased in the past year, the study notes that organisations’ ability to respond to a data breach caused by a remote workforce has improved “significantly”. In 2021, 43% of those surveyed said their organisation was prepared to respond to a data breach caused by a remote workforce, whereas in 2022, the number was 75%. You could argue that this increase is to be expected, with organisations around the world now having more time to become accustomed to a largely working from home workforce, as well as the associated risks that come from that. In the same time however, the risk of spear-phishing and ransomware attacks in the previous year has increased from 60% in 2021 to 62% in 2022.
Ponemon Institute have outlined particular findings that show the steps organisations should take to improve their data breach preparedness, which are as follows:
- Organisations need to be prepared for a data breach global in scope or caused by a third party in their supply chain.
- Boards of directors and C-suite executives need to be more engaged in data breach preparedness.
- The maturity of privacy and data protection programs have increased since last year.
- Organisations are still struggling to improve IT securitys ability to respond to a data breach.
- Organisations need to be prepared for a third-party data breach that has their sensitive information.
- Most data breach response plans are stale and may not reflect the potential threats facing their organisation.
- With the increase in global data breaches, more response plans are addressing procedures to mitigate the consequences of these types of incidents.
Below, I’ll detail some of the findings in the Ponemon Institute survey so that you can see where your organisation may potentially fall and be able to have an idea on how prepared you are for a breach.
- Q. Did your organisation have a data breach involving the loss or theft of more than 1,000 records containing sensitive or confidential information in the past two years?
In 2021, 36% said only once, 30% said 2-3 times, 24% said 4-5 times, and 11% said more than 5 times.
In 2022, 38% said only once, 28% said 2-3 times, 23% said 4-5 times, and 11% said more than 5 times.
2. When asked about the steps they take to minimise the consequences of a data breach involving a third party, 86% said that they require they notify their organisation in the event of a breach, 81% said they require they have an incident response plan that their organisation can review, 56% said they require audits of their security procedures, and 7% said there are no steps being taken which is an increase of 3% from last year.
3. Q. Does your data breach response plan include how to manage an international incident?
In 2021, 47% said yes, 46% said no and 7% said they were unsure.
In 2022, 56% said yes, 36% said no, and 8% said they were unsure.
4. Background checks and security assessments are the top two steps to prepare for a data breach. The primary steps being taken to prepare for a data breach are background checks on new full-time employees (64 percent of respondents) and third-party cybersecurity assessments (57 percent of respondents). Reviews of physical security and access to confidential information has declined from 62 percent of respondents to 52 percent of respondents.
5. When asked whether their organisation has a BCM and crisis management plans, 56% said that they have a BCM, and 53% said they had a crisis management plan.
The above findings are just highlight different questions used in the study which have allowed the detailed findings to be made, and the report itself goes in to much more detail with over 30 pages of findings accompanied with graphs to help illustrate them, so if you are looking to assess how prepared your organisation is for a data breach, please do take a look because the Ponemon Institute’s report will go a long way to helping you do so.
A link to download the report for free can be found here.