“Complacency kills” – Businesses and organisations are encouraged to keep on top of their data breach response plans

Although many businesses and organisations should have in place a security team and a ‘data breach preparedness plan’, it is said that many do not review, update, or actually practice it.

I then ask: what’s the point of having such a plan?

Costs of a data breach

In the growing digital era, the risk of a cyber attack is a lingering shadow that sits silently over the top of most organisations throughout the world. I do not say that just to scare you: statistics show that cyber attacks are fast becoming a trend for fraudsters and criminals, and the financial costs are rising.

For small firms, an average cost for a data breach was valued at £190,000 last year. For larger companies an average cost for a data breach rose from £800,000 in 2014 to £2.3 million last year. The increase of fines could be due to an increase in reports.

Effective data breach response plans

But just because companies have a ‘response plan’ in place does not mean that companies or organisations are actually prepared to respond effectively and accordingly. This is supported by Michael Bruemmer, the vice president at Experian Data Breach Resolution, and comes down to organisations who do not periodically review or update the plans, meaning that it becomes outdated and not applicable to the company anymore. It’s plausible that a plan is put in place, but without practising or continually reviewing it, that does not make the plan effective. This could be likened to getting on the football team – if you do not go to football practices or review your techniques, your skills can become rusty and eventually outdated.

Study: positive findings

An annual study conducted by a security research firm, Ponemon Institute, on behalf of Experian Data Breach Resolution, found that 86% of 619 employees surveyed were prepared for a data breach in 2016. Some positive signs come from this, as 58% of the employees found that there had been increased investment in the technology to secure data. 61% of employees also said that privacy and data protection awareness and training programmes were put in place.

Businesses and organisations have also recognised that keeping their customers informed is the best way to maintain their credibility and reputation as a company.

Study: negative findings

Even though there is a positive study to suggest that a majority of companies are doing their best to comply with security procedures, it doesn’t mean that they are 100% equipped to deal with the data breach. In most cases, businesses need to focus their attentions on executing their response plans successfully. This could be down to not reviewing the plans put in place. Ponemon’s study supports this as only 29% of companies have not reviewed or updated their plan since it was first introduced.

It’s not just my concern: over half of the businesses that took part in the study admitted that they were not confident if a cyberattack was to take place. If the businesses are not confident in their plans, how are we supposed to put our trust into them?

Further areas of concern relate to businesses’ cybersecurity plans. 26% of businesses do not practice their plan, as 64% believe that it’s not a priority for their business. I welcome those 64% of businesses who believe this is the case to come back to me once they have been a victim/witness to such cybercrime, as we know all too well that it has jeopardising consequences for a business. Further to this, only 46% of companies have integrated a response plan in their long-term business plans. This suggests that companies do not see a real threat to cybercrime.

Wise words

Mr Bruemmer’s message should be spread worldwide:

“…investing in breach preparedness is like planning for a natural disaster, you hope it will never happen, but just in case, you invest time and resources in a plan so your company can survive the storm.”

Without such preparedness, if your company is breached, the risk of maximum damage to your business or organisation is very high.