Experian Data Breach Resolution and the Ponemon Institute today released a new study that finds that, despite the majority of companies experiencing or anticipating significant cost and business disruption due to a material data breach, they still struggle to take the proper measures to mitigate damage in the wake of an incident. The report, Is Your Company Ready for a Big Data Breach?, examines the consequences of data breach incidents and the steps taken to lessen future damage. Respondents include senior privacy and compliance professionals of organizations that experienced at least one data breach. The top three industries represented are retail, health and pharmaceuticals, and financial services.
“A majority of companies we surveyed indicate they have already or are very likely to lose customers and business partners, receive negative publicity and face serious financial consequences due to a data breach,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “Yet, despite understanding the consequences, many companies struggle to take the right steps to mitigate the fallout following an incident, demonstrating a need for better awareness and investment in the tools that can alleviate negative customer perceptions.”
Key findings include:
Companies experience and anticipate harm due to breaches
Companies that suffer data breaches experience significant costs and business disruption, including the loss of business and trust from customers, negative media attention and legal action.
- Seventy-six percent of privacy professionals say their organization already had or expects to have a material data breach that results in the loss of customers and business partners.
- Similarly, 75 percent say they have had or expect to have such an incident that results in negative public opinion and media coverage.
- Sixty-six percent of companies have or believe they will suffer serious financial consequences as a result of an incident.
Despite consequences, incident response remains a challenge
Companies struggle to properly handle potential damage due to a data breach and implement technologies to help prevent future incidents, even after suffering an incident.
- Despite experiencing a breach, not all companies prepare for a future breach.
- Thirty-nine percent of companies say they have not developed a formal incident breach preparedness plan even after experiencing a breach.
- Only 10 percent of organizations have data breach or cyber insurance.
- A majority of organizations surveyed don’t provide clear communication and notification to victims following an incident.
- In fact, only 21 percent of respondents have communications teams trained to assist in responding to victims.
- Additionally, only 30 percent of respondents say their organizations train customer service personnel on how to respond to questions about the data breach incident.
- The vast majority (65 percent) also lack mechanisms to verify that contact with each victim was completed, and only 38 percent have mechanisms for working with victims with special circumstances.
- The survey also finds that organizations are missing security technology safeguards and tools to prevent or understand the extent of an incident.
- Encryption is not widely deployed: Less than one-third of respondents say sensitive or confidential personal and business information stored on computers, servers and other storage devices is generally encrypted.
- Forensics is lacking: Many organizations lack the forensics capabilities to fully understand the nature and extent of the incident.
- Only 36 percent have the tools or technologies to assess the size and impact of a data breach.
- Nineteen percent have advanced forensics to determine the nature and root causes of cyberattacks.
- Only 25 percent have the ability to ensure the root cause of the data breach was fully contained.
“The study findings show that organizations need to prioritize preventing future breaches and better manage post-breach response,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “In addition to improving technical safeguards, it’s clear that companies also should focus more attention on meeting the needs of affected consumers that suffer a data breach.”
To access the full report, Is Your Company Ready for a Big Data Breach?, visit www.experian.com/readiness.