Login Register Subscribe
Current Issue

More companies form data breach response plans

Reprints

More companies are introducing data breach response plans, but relatively few have confidence in their effectiveness, says a study issued Tuesday by the Ponemon Institute L.L.C.

In findings that bear a close resemblance to those a year ago, the survey by the Traverse City, Michigan-based data security research firm of 600 executives, which was conducted in September, found that while 81% of executives have a data breach plan, compared with 61% in 2013, just 34% said they are either “very effective” or “effective.” This compares with the 30% who gave this response in 2014's survey.

“Thus, major gaps remain in how they are comprehensively preparing for a data breach,” says “Third Annual Study: Is Your Company Ready for a Big Data Breach?” which was sponsored by Experian Data Breach Resolution, a unit of Costa Mesa, California-based Experian Information Solutions Inc.

A total of 35% of respondents said their organization purchased data breach or cyber insurance policies, compared with 26% in 2014 and 10% in 2013's study.

Asked to cite the two most important reasons to purchase the insurance, the responses were: C-level executives and board members believe it is important, cited by 50%; it provides resources to help the organization understand cyber threats, 49%; access to expertise, 44%; a pre-vetted list of qualified provider and consultants, 31%; and more favored rates with third parties who help respond to the data breach, 23%.

Among other survey findings, 39% of respondents said their boards, chairmen and CEOs are involved in the issue at a high level, compared with 29% in 2014.

“Data breach response plans are often missing crucial steps,” says the report, however. For instance, it states that despite a rise in international data breaches and the number of companies operating overseas, 37% of respondents do not address procedures for responding to a data breach involving an overseas location.

The study also found that among companies that provide employee security training, 40% conduct it only once, and 31% do so sporadically.