More Companies Ready for Cyberattacks: Study
According to a new study, more companies have data response and preparedness plans in place should breaches infiltrate their systems.
The study, “Is Your Company Ready for a Big Data Breach?," measured the preparedness of a variety of U.S. companies based on responses from 567 top executives.
The study comes from Ponemon Institute, a Traverse City, Mich.-based firm that specializes in data protection and information security. Released in September, the second annual report was sponsored by Experian Data Breach Resolution.
Data breaches have increased in frequency since the 2013 study, with 43% of companies surveyed reporting a breach in 2014, compared to 33% in 2013.
Of this year’s numbers, 60% reported more than one data breach in the past two years.
Fortunately, more companies have data response and preparedness plans, the study said.
In 2014, 73% of companies had the necessary safeguards in place, compared to 67% in 2013.
In addition, 54% of companies had employee awareness and training programs dedicated to cybersecurity practices this year, compared to 44% in 2013.
Finally, the prevalence of cyber insurance policies also has risen. This year, 26% of companies surveyed invested in cyber insurance, compared to 10% in 2013, the study noted.
However, despite having plans in place, many respondents said their past efforts had proved inadequate when it came to warding off cyberattacks.
Everything from decentralization of responsibility to a lack of stress-testing existing plans for continued effectiveness were cited as problems in various cybersecurity plans. Authors of the Ponemon study offered suggestions to companies wanting to improve their cyber preparedness.
First, incident response plans should be reviewed regularly and reflect the changing risks a company may face. Risk assessments should be conducted to ensure the appropriate technologies are in place to detect and deter a data breach.
In addition, the study recommended that the company’s board of directors, CEO and chairman should play an active role in helping their firm prepare for and respond to a data breach. Employees should receive training on the importance of safeguarding sensitive data, especially customer information.
Finally, accountability and responsibility for data breach responses should be clearly defined and not dispersed throughout the company, the study said. Cross-functional teams that include the expertise necessary to respond to a data breach should be part of the incident response planning process.
When it comes to data breaches, Ken Otsuka will tell you that it’s not a matter of if it will happen, but rather it will happen and how severe the hit will be.
As senior risk manager at CUNA Mutual Group, Otsuka helps credit unions prepare for the inevitable data breach. With the growing rise in attacks, he became increasingly more concerned about their lack of preparation.
“Some credit unions may be complacent and believe that this is something that only happens to the biggest of the big financial institutions,” Otsuka said. “It can happen to any size financial institutions, large or small, and credit unions need to have their defenses, including their incident response plans, up to date.”
Otsuka cited the Ponemon study as an effective touchstone to strengthening a credit union’s security plan.
He said he agreed with specifics outlined in the report, especially those involving employee education and that third-party vendors that handle member data must have adequate protection from cyberattacks.
“Smaller credit unions face a more difficult challenge in protecting their network and rely on third-party providers to protect their data,” Otsuka said. “And, security awareness training ranks high on my list.”
The breach trend has already affected credit unions, according to NAFCU’s October Economic & CU Monitor, which said 84.4% of respondents had a data breach at the local level over the past two years.
Given trends in the marketplace, such incidences are expected to increase, some experts have predicted.
Cyber insurance is one way credit unions can protect themselves. For instance, CUNA Mutual’s Cyber Solution package offers a variety of approaches to assure when cyber attackers hit a credit union that many of the costs and contingencies are covered, according to the company.
But there are other ways credit unions can prepare themselves, Otsuka said. The first step is to take the possibility of threats seriously and prepare accordingly.
“A few years ago, when I asked credit unions about encryption of confidential member data, some said it was too expensive for them,” Otsuka said. “In today’s environment, credit unions can’t afford not to encrypt member data.”
“If the network does gets hacked and cyberthieves steal data it can lead to identity fraud and a host of other problems,” he warned.