By Doug Pollack, CIPP/US, chief strategy officer, ID Experts
These days every organization is at risk of a data breach, and every organization defends against and manages breaches in its own way. Most are trying to balance proactive and reactive cybersecurity measures. That is, they’re trying to prevent the next data breach while also preparing for the inevitable—so they can respond quickly and intelligently when a breach occurs.
The recently released Advisen report, “Mitigating the Inevitable: How Organizations Manage Data Breach Exposures,” surveyed over 200 risk professionals in industries ranging from healthcare to government and professional services. Twenty-five percent of the respondents work for large companies (over 15,000 employees), while 30 percent work at companies with fewer than 1,000 employees.
The survey results provide insights that can help you assess how well your proactive and reactive cybersecurity measures stack up against the competition.
- Do You Recognize the Risk?
The report found that 80 percent of surveyed organizations are concerned about the consequences of a large public data breach. If your organization has yet to recognize the risk, it’s likely that you’ve fallen behind in defending against and preparing for the next data breach.
- Can You Detect Every Breach?
If you are certain that you can detect every breach, you’re ahead of the curve. In the survey, 55 percent of respondents did not believe their companies had adequate resources to detect all breaches.
According to the report, reported data breaches are the tip of the iceberg. There are exponentially more unreported data breaches lurking beneath the water’s surface. And that means trouble ahead.
- Do You Conduct an Annual Cybersecurity and Privacy Risk Assessment?
Most organizations seem to recognize that to bolster your cybersecurity defenses, you first have to know where you’re vulnerable. Seventy-two percent of respondents said they conduct an annual cybersecurity and privacy risk assessment, and most indicated that they “actively update” their privacy and security policies, training, and internal resources.
- Do You Have Cyber Insurance—and Will It Address Your Needs?
Most of the companies surveyed (64 percent) have cyber insurance, and it may be a smart investment for your organization. However, it is important to know and understand your cyber insurance policy. Consider, for instance, that:
- The organization has to handle breach responses and costs that fall outside the policy.
- Some losses may be excluded under the policy.
- Breach costs may exceed the amount of coverage purchased.
Of the organizations surveyed that had suffered a breach in the past year and had insurance, most indicated that the breaches had fallen below their policy deductible. “While cyber coverage is increasingly viewed as an essential part of many corporate insurance programs,” the report notes, “it is designed to protect against low frequency to high severity occurrences.”
- Do You Have a Data Breach Response Plan—and Has It Been Tested?
On the reactive side of cybersecurity, the first step is to develop a data breach response plan. If you lack such a plan, you’re in a distinct minority, as three in four survey respondents indicated they have a plan in place.
Of course it’s not sufficient to just create a plan—you also have to update it on a regular basis to meet ever-evolving security concerns. For instance, policies need to be developed now that specifically address the growing threat posed by ransomware.
In addition, it’s critical to test the efficiency and effectiveness of data breach response plans. An alarming 41 percent of the survey respondents said they either have not tested their plans or don’t know if tests have been performed. If that’s the case for your organization, be aware that it could create problems down the road, when your plan is put to the test.
- Who Will Manage Your Data Breach Response?
If you depend on your IT department to manage your data breach response, you’re not alone. Sixty percent of respondents rely solely on the IT department, despite the fact that IT is generally ill-equipped to handle all the legal and regulatory requirements associated with data breaches.
The best practice for data breach response is to form a cross-functional team with a combination of specialties. Working together, the team members can handle a data breach in a manner that fully protects the organization and meets security and privacy regulations.
- Have You Hired a Data Breach Response Vendor?
About half of the companies surveyed have hired a full-service vendor to manage their large-breach response efforts and minimize risks. Respondents indicated that vendors provide a variety of helpful services, including (in order of indicated value) forensics, protection services such as credit monitoring, pre-breach services, call center, and mailing.
Nearly three in four respondents indicated a preference for a single vendor to handle all the services, which may be a smart idea to simplify and streamline breach responses.How Do Your Cybersecurity Protections Stack Up? 7 Questions to Ask YourselfClick To Tweet