Every organization, in every industry and of every size, is at risk for data breach. Most organizations have experienced a data breach whether or not they know it.
According to the new Advisen Ltd. report Mitigating the Inevitable: How Organizations Manage Data Breach Exposures, sponsored by ID Experts®, the majority of breaches are small and may go undetected for a long time. When they are detected, most organizations lack the internal resources to handle breach response, putting them at greater risk for costly fines and lawsuits, reputational harm, and customer identity theft. It's no wonder then, that 80 percent of organizations are concerned about the consequences of a large breach and the impact it will have on their business. While 64 percent of those surveyed have cyber insurance, most small breaches aren't covered, leaving organizations struggling with managing gaps in cyber insurance coverage.
"The report indicates that there is a lot of concern about data breach impact and uncertainty about data breach response best practices. Most organizations are not prepared to manage the high-risk, high-threat landscape in which we do business," said Jeremy Henley, director of breach services at ID Experts. "Sixty percent of respondents rely solely on the IT department to manage data breach response. However, best practice is a cross-functional team with a combination of specialties to handle a data breach to fully protect the organization and meet privacy and regulatory compliance."
"Why do breaches go undetected? Many organizations do not have the qualified resources, processes, or systems in place," said Aloysius Tan, product manager at Advisen. "For organizations who lack the resources, full-service breach response vendors can help. Respondents are most interested in help with forensics, protection services, pre-breach services, and call centers."
Key Findings of the Report
- All organizations are at risk for data breach and most are not prepared.
If they collect or store sensitive data, organizations of all sizes and in all industries are exposed and are at risk for data breach. Organizations that proactively prepare for and manage data breach risk will significantly reduce breach impact. However, the report finds that organizations are not prepared for data breaches, due to inadequate resources.
- Most organizations are concerned about the consequences of a data breach.
The majority of breaches are small, under 500 records, and may go undetected for a long time. Eighty percent of organizations are concerned about the consequences of a large data breach and the impact it will have on their business. More than half, or 55 percent of respondents, don't believe their company has adequate resources to detect breaches, so many breaches may go undiscovered. Seventy-five percent of respondents have developed an incident response plan, but only 42 percent have tested the plan. Seventy-two percent of respondents said they conduct a cybersecurity and privacy risk assessment at least annually. However, they may not have a consistent process in place for effective assessment, resulting in errors or inconsistencies.
- Most organizations aren't prepared to manage data breach response.
The report found that while many organizations are taking key steps to prevent and detect data breaches, many are not prepared for or lack the resources to manage data breach response, including the legal and regulatory requirements. The majority of organizations use internal resources to manage small but high-frequency breaches. In fact, 60 percent of respondents rely solely on the IT department to manage data breach response. However, IT on its own is generally not equipped to handle data breach compliance and regulatory requirements.
- Organizations struggle with gaps in cyber insurance coverage.
Sixty-four percent of those surveyed have cyber insurance. While cyber liability insurance has proven effective in covering many cyber-related losses, the majority of small breaches often fall below cyber insurance policy deductibles that trigger coverage, leaving organizations to manage and pay for all breach response.
Latest from Cyber Policy Magazine
- Aon and Guidewire Launch Cyber Scenario for a U.S. Dam Attack
- Generali Launches Its Fully-Dedicated Cyber Insurance Function And The CyberSecurTech Start-Up
- Silent Cyber Added To Willis Re’s Cyber Portfolio Management Tool PRISM-ReTM
- Companies Will Make Major Enterprise Wide Changes To Address Cyber Risk In 2018
- DAS Spain Launches DAS Cyberbullying Insurance