More than 70% of executives say their organisations do not understand fully the risks associated with data breaches, a Ponemon Institute survey has revealed.
Less than half of top executives, including board members, are kept informed about the breach response process, according to the 2014 Executive Breach Preparedness Research Report, commissioned by HP.
Of the nearly 500 senior executives polled in the UK and the US, only 45% said they were accountable for the incident-response process.
The survey on the importance of senior executive involvement in breach response found that while 79% of respondents said executive-level involvement is necessary to achieving a successful data breach response, only 70% believed board-level oversight was also crucial.
The survey also revealed that only 45% of executives considered their own enterprise’s incident response process as either proactive or mature.
Be prepared for a data breach
According to the report, an important step to making these plans more effective would be to take into account both the value and importance of data to an organisation’s business operations.
KEY STUDY FINDINGS
- Poor communications, lack of leadership and lack of board input are barriers to effective incident response
- Senior executives believe their involvement in the incident response process is necessary
- Current incident response plans are more reactive than proactive
- Executive-level oversight is critical to minimising financial loss and protecting reputation and brand
- Understanding the risk and approving incident response plans should be on the board of directors’ agenda
- Negligent and malicious insiders are considered the biggest security risks
- Incident response should focus on understanding the cause of an incident and addressing the negligent insider risk
“Without a well thought out plan in place, and without the proper guidance, training and process instituted throughout the organisation, executives can stumble when dealing with the public outcry once sensitive data has been compromised,” said Arthur Wong, senior vice-president and general manager for enterprise security services at HP.
The survey showed that senior executives are more concerned about the threat within than external risks caused by cyber criminals and hacktivists.
Some 42% of respondents said they worried most about negligent insiders, followed by 25% who said they were concerned about malicious insiders.
Some 57% of respondents admitted the loss or theft of more than 10,000 records containing confidential or sensitive information would constitute a significant data breach.
In terms of cost, the survey revealed that a data breach that averages approximately $2m would be considered significant.
The financial consequences from a security breach can be severe, according to the Ponemon Institute, costing 38 UK organisations an average of £3.56m a year, ranging from £545,000 to £14m.
“No amount of spend can completely protect organisations from highly sophisticated cyber attacks, but how prepared an organisation is in the event of a breach can mean the difference between a speed bump in the road or a catastrophic business event,” said Wong.
To help executives prepare for a breach, HP has developed free online resources to determine the amount of risk an organisation faces and its readiness to respond to a breach.
These resources include a study exploring how 300 global organisations plan and use best practices to prepare for cyber security incidents, along with a breach response assessment benchmarking tool.
The online resources also include scenarios, best practices and benefits in planning that will help an organisation understand the response plan and how to be prepared in the event of a data breach.
RECOMMENDATIONS TO EXECUTIVES
- Identify the valuable and sensitive information that could be targeted and have a strategy for its protection
- Have an independent third party provide recommendations on the adequacy of security practices and procedures
- Schedule regular meetings with the CEO and board of directors to keep them informed about the threats to the organisation and the ability of the organisation to mitigate the risk of a security incident
- Require frequent fire drills and/or war games to assess readiness
- Address the insider threat with training and awareness programmes
- Require audits to ensure training is ongoing and effective
- Centralise leadership of the response process
Data breach response is a board-level issue
According to the Ponemon Institute, senior executives and boards of directors may have been complacent about the risks posed by data breaches and cyber attacks in the past.
“However, there is a growing concern about the potential damage to reputation, class action lawsuits and costly downtime that is motivating executives to pay greater attention to the security practices of their organisations,” the report said.
The study confirmed senior executives’ motivation to become involved in breach response to help reduce the financial impact of potential incidents and to protect their companies’ reputation and brand, the Ponemon Institute said.
According to the study, the primary barriers to an effective breach response are poor communications, lack of leadership and lack of board input.
Other research has shown that IT and security practitioners often have a difficult time talking about security risks with senior executives, especially when it involves explaining the consequences of a data breach.
In one Ponemon Institute study, 65% of IT practitioners surveyed said that when asked to provide a report on a security incident that had major consequences for the organisation they would modify, filter or water-down reports about a security incident.
It is likely, therefore, that many CEOs, directors and other corporate leaders are in the dark about the state of their organisations’ breach preparedness, the Ponemon Institute said.
Read more on incident response:
- Heartbleed security bug offers lessons in incident response
- Bruce Schneier: Incident response management breaking new ground
- How to integrate Siem system capabilities with incident response
- Telco firm cuts incident response time by 80%
- Incident response planning for DNS attacks against enterprises
- Cloud incident response planning: Know cloud provider responsibilities
- Information security incident response teams need plans and partners