Who among us has not experienced déjà vu, the eerie experience of feeling you are in a situation where you have already been there and done that, or literally, have already seen something? It is generally agreed that somewhere between two-thirds and all of humanity have had such an experience. If you haven’t, you can refer to the Denzel Washington movie Déjà Vu to get a rough idea of the concept. I point this out because I just went back through the Ponemon Institute’s Fourth Annual Study: Is Your Company Ready for a Big Data Breach? What is striking about the findings is the sense that we’ve seen this before. To wit:
Companies are not confident dealing with the most serious consequences of a data breach.
Only 41 percent of respondents say their company is able to respond to a data breach involving business confidential information and intellectual property.
Only 27 percent of respondents say they are confident in their ability to minimize the financial and reputational consequences of a material data breach.
To be effective, data breach response plans need senior level involvement.
Most boards of directors, chairmen and CEOs are not actively engaged, and avoid responsibility, in data breach preparedness. Since 2014, participants in this annual research have increasingly asked for more participation and oversight from senior executives, but it does not seem to be happening.
Fifty-seven percent of respondents say their company’s board of directors, chairman and CEO are not informed and involved in plans to deal with a possible data breach.
Only 40 percent of respondents say they want to know ASAP if a material data breach occurs.
About one-third (34 percent of respondents) say the board does understand the specific security threats facing their organization.
Only 26 percent of respondents believe the board is willing to assume responsibility for the successful execution of the incident response plan.
Updating a data breach response plan is a crucial but often missed step.
Most companies have a data breach response plan but it is not regularly reviewed. While 86 percent of respondents say their organizations have a data breach notification plan in place, only 24 percent of respondents say they have a procedure for updating their plan on a yearly basis.
As part of data breach preparedness, employee privacy and data protection awareness programs are critical to reducing the risk of employee negligence.
While more companies are offering these programs, they are often only offered during employee orientation. In 2013, 44 percent of respondents said their organizations had such awareness programs for employees and other stakeholders who have access to sensitive or confidential personal information. In 2016, this increased to 61 percent of respondents.
So where does this leave us? Possibly, that we’re not confident we can deal with the most serious consequences of a data breach, in part because senior management is not taking sufficient responsibility for planning and preparation, incident response plans are not being kept up to date, and we are not doing enough to address the area of greatest vulnerability—our employees. I’m fairly confident this is not a trick of the memory. We can look at Ponemon’s earlier studies and see the same areas called out. No wonder so many people are forecasting 2017 to be a very bad year for cybersecurity.
By Tom Davis, SDI Cyber Risk Practice
January 17, 2017