The Ponemon Institute released its second annual data breach preparedness study titled “Is Your Company Ready for a Big Data Breach?” in September 2014. Ponemon was able to get survey responses from 567 executive-level representatives from companies based in the United States.
Cost to Organizations
According to the report, the average data breach costs an enterprise $201 per record. However, with a solid incident response plan, this figure falls to only $17, making a strong case for improved IT security. With that noted, the number of companies that had a plan in 2013 was 61%. This grew to 73% in 2014. Nonetheless, data breaches are occurring at a more frequent rate. Conflictingly, a combined 47% of respondents are “unsure” about or believe the plan is “not effective”. In addition, a combined 78% of plans are not reviewed regularly or updated at all.
How Employees Fit into the Picture
Approximately 50% of employees don’t have access to training programs regarding how to handle sensitive personal info. Also, only 54% of respondents replied “Yes” when prompted about whether their organization had a program regarding “privacy/data protection awareness for employees”, though it was a 10-point improvement from 2013. Tellingly, Chief Information Security Officers (CISO) is designated as the person to handle data breach responses by only 21% of respondents but the same number had no person or department delegated for the task.
Technical Considerations
These conditions are making it tough for organizations to secure their IT environments. Here are the Top 3 barriers to improving data breach response:
- Lack of visibility of end-user access
- Mobile & cloud services
- 3rd party access to systems
How can these concerns be addressed specifically in your organization?
Data breach technologies are often not deployed. While anti-virus is a longtime favorite, security incident & event management (SIEM) tools, which can be used with file integrity monitoring software such as CimTrak, are utilized by less than a third of respondents. Combining these mechanisms leads to a more holistic approach to IT security and improves breach detection time.
Response & How to Improve
The report states on page 11 that “Risk assessments and continuous monitoring of information systems for unusual or anomalous traffic are needed.” Unfortunately, the survey recorded that a combined 44% of those that responded never monitor or are unsure about their organization’s schedule. On the upside, 20% are doing continuous monitoring and 21% make it a daily practice. It goes on to say that “Research has shown that a comprehensive plan that is in place in advance of a data breach can reduce overall costs and keep the trust of customers and business partners.” This should be a critical focus in an era of endless reporting about recent breaches and cyber security.
When asked about how to make their data breach response plan more effective, respondents cited these personnel-focused methodologies:
- Increase the participation and oversight of senior executives
- Add staff with security expertise
- Acquire staff that is knowledgeable about compliance with privacy and data protection law
Does this not sound like the role of a Chief Information Security Officer? If we want to experience fewer breach incidents, organizations need to increase their knowledge of C-Suite level involvements with issues in the field of information security. Only 16% of those that answered the survey are reporting to one! However, a combined 38% of respondents report to a Chief Information Officer or Compliance Officer. That said, having someone in a CISO role can help an organization get out in front of the security issues and more aggressively assess the organization’s unique security needs.
This is a vital step in turning the tide of data breaches. 43% of respondents selected “Yes” to a question asking if their organization had been the victim of a breach that involved more than 1,000 records in the last 2 years – up 10% over the prior year! These are the same respondents that a combined 52% of those surveyed said they had not or were unsure of whether their organization had “increased its investment in security technologies” over the last year.
Where to Head Next
The writing is on the wall here and the initial steps are easy ones to take when compared to the cost of a data breach. Get your strategy in place now and make 2015 the year we turn back the onslaught of breaches industrywide. It is time to stop leaning on public relations firms and legal counsel to help dig out after a security incident. After witnessing the never-ending media coverage of cybersecurity stories last year, it is critical that organizations get out in front of the problem. This means increasing IT staff and department sizes as well as bringing in a specialist at the C-suite level such as a Chief Information Security Officer to help secure IT systems.
