Plan for the worst, but hope for the best

May 17, 2013

Today we live in a world that relies on data, from credit card information exchanged for retail purchases to large electronic files with Social Security numbers and personal medical history. A massive amount of personal information is exchanged and stored on a daily basis. To put it in perspective, according to an IBM study, we create 2.5 quintillion bytes of data daily in all aspects of everyday life. This data enables organizations to increase productivity, provide better value to customers or patients and make more informed business decisions. 

However, as with all good things in life, there can be a down side. A continued rise in threats has led many companies to accept that at some point, there is a high likelihood that they will experience a breach. Many others have already experienced some sort of cyber incident. In both cases, it follows that these organizations would take the steps to mitigate the potential damage after an attack. And that's what struck me from a recent Ponemon Institute report – not all companies are preparing.

The Is Your Company Ready for a Big Data Breach? report, found that nearly four in 10 companies that have suffered a breach fail to prepare for  future disruption. In addition, the study found a majority of companies admitted to the real consequences resulting from a breach, including the loss of customers and business partners, negative publicity and serious financial consequences. Despite these consequences, the study found that many organizations aren't readily preparing for a breach incident. 

Companies struggle to properly handle potential damage due to a data breach and implement technologies to help prevent future incidents. Furthermore, those that do have incident response plans still struggle to respond to a breach and communicate with those impacted. What's more, improper management of the post-breach process likely intensifies the negative impacts of organizations and affects customers' experience.

A closer look at the data finds that many companies lack the security technology safeguards and tools to prevent and quickly understand the extent of an incident. Less than one-third of respondents said sensitive or confidential personal and business information stored on computers, servers and other storage devices is generally encrypted. And only 25 percent have the technology to ensure that the root cause of the data breach was fully contained.

The growth of new technologies also brings with it new challenges. With the move to cloud and mobile devices, the risk for a potential breach or incident can increase. However, 61 percent noted their organization does not require nor is unsure whether mobile devices should be tested for security prior to connecting to networks or enterprise systems.

And while technology and safeguards are important, when an incident does happen customers need to understand what a breach means for them. A majority of organizations surveyed don't provide clear communication and notification to victims following an incident. Only 21 percent of respondents have communications teams trained to assist in responding to victims. And only 30 percent of respondents say their organizations train customer service personnel on how to respond to questions about a data breach incident.

Regardless of the primary issue, there is a divide between companies at risk – which all are, in reality – and companies that are preparing for a breach. To reconcile this gap, organizations should establish mitigation preparations such as incident response plans that ensure the proper resources are in place to reach customers after a crisis has occurred. This includes what they are saying to customers and providing them with the resources they need to maintain trust. Second, companies that have access to sensitive data should review their protection practices and the technologies available to protect sensitive information. For example, considering encrypting information could help significantly reduce risk. Last, organizations should consider cyber security insurance. Along with mitigating financial risk, these policies can help a company get aligned to better manage these issues.

While in this landscape, it's not completely surprising that not all organizations are preparing, they can't ignore the business impact of a breach. It's critical for stakeholders in an organization to come together and determine an approach. As the study found, they must incorporate both the improvement of technical safeguards into company policies and prioritize the prevention of future breaches / better management of post-breach engagement. It would be great to say that we live in a risk free world, but we don't. The only thing that makes a data breach incident worse is not being prepared for it.

prestitial ad