Experian Data Breach Resolution and the Ponemon Institute have released a study that finds that, despite the majority of companies experiencing or anticipating significant cost and business disruption due to a material data breach, they still struggle to take the proper measures to mitigate damage in the wake of an incident.
The report, “Is Your Company Ready for a Big Data Breach?” examines the consequences of data breach incidents and the steps taken to lessen future damage.
Respondents include senior privacy and compliance professionals of organisations that experienced at least one data breach. The top three industries represented are retail, health and pharmaceuticals, and financial services.
A majority of companies we surveyed indicate they have already or are very likely to lose customers and business partners, receive negative publicity and face serious financial consequences due to a data breach,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “Yet, despite understanding the consequences, many companies struggle to take the right steps to mitigate the fallout following an incident, demonstrating a need for better awareness and investment in the tools that can alleviate negative customer perceptions
The study’s key findings include:
Companies experience and anticipate harm due to breaches Companies that suffer data breaches experience significant costs and business disruption, including the loss of business and trust from customers, negative media attention and legal action.
- 76% of privacy professionals say their organisation already had or expects to have a material data breach that results in the loss of customers and business partners.
- 75% say they have had or expect to have such an incident that results in negative public opinion and media coverage.
- 66% of companies have or believe they will suffer serious financial consequences as a result of an incident.
Despite consequences, incident response remains a challenge Companies struggle to properly handle potential damage due to a data breach and implement technologies to help prevent future incidents, even after suffering an incident.
- Despite experiencing a breach, not all companies prepare for a future breach.
- 39% of companies say they have not developed a formal incident breach preparedness plan even after experiencing a breach.
- 10% of organizations have data breach or cyber insurance.
- A majority of organisations surveyed do not provide clear communication and notification to victims following an incident.
- 21% of respondents have communications teams trained to assist in responding to victims.
- 30% of respondents say their organisations train customer service personnel on how to respond to questions about the data breach incident.
- 65% also lack mechanisms to verify that contact with each victim was completed, and only 38% have mechanisms for working with victims with special circumstances.
- The survey also finds that organizations are missing security technology safeguards and tools to prevent or understand the extent of an incident.
- Encryption is not widely deployed: Less than one-third of respondents say sensitive or confidential personal and business information stored on computers, servers and other storage devices is generally encrypted.
- Forensics is lacking. Many organizations lack the forensics capabilities to fully understand the nature and extent of the incident.
- Only 36% have the tools or technologies to assess the size and impact of a data breach.
- 19% have advanced forensics to determine the nature and root causes of cyberattacks.
- 25% have the ability to ensure the root cause of the data breach was fully contained.
The study findings show that organizations need to prioritize preventing future breaches and better manage post-breach response,” said Dr. Larry Ponemon, Chairman and founder of the Ponemon Institute. “In addition to improving technical safeguards, it’s clear that companies also should focus more attention on meeting the needs of affected consumers that suffer a data breach