According to the new survey conducted by the Ponemon Institute on behalf of Experian, companies are complacent and lack confidence when it comes to data breach preparedness. A result which I found to be most astounding given the fact that every day we read of yet another company, institute, organization or governmental entity experiencing a data breach.  The study, “Is Your Company Ready for a Big Data Breach?” (registration wall), highlights the good and the bad which the surveyed companies declared. Pulling from the Experian press release:

The Bad

• Among those organizations surveyed that do not practice their plan (26%), a majority (64%) don’t practice because it is not a priority.
• Only 38% of companies surveyed have a data breach or cyber insurance policy. Of those that do not have such a policy, 40% have no plans to purchase one.
• Less than half (46%) of survey respondents have integrated response plans into their business continuity plans, and only 12% meet with law enforcement or state regulators in advance of an incident.
• Only 39% of organizations surveyed practice their plan at least twice a year.

The Good

• 58% of surveyed organizations (compared with 48% in 2014) have increased their investment in security technologies in the past 12 months in order to be able to detect and respond quickly to a data breach.
• 61% of surveyed organizations (compared with 44% in 2013) have a privacy/data protection awareness and training program for employees and other stakeholders who have access to sensitive or confidential personal information.
• Companies understand that they need to take action after a breach occurs to keep customers and maintain their reputation. To do so, those surveyed believe the best approaches are providing free identity theft protection and credit monitoring services (71%), gift cards (45%), and discounts on products or services (40%).

But there’s more

Data breach preparedness is severely hampered, as the IT teams have little or no visibility. A full 73 percent of respondents lamented that their IT teams lacked visibility into end-user access of sensitive and confidential information. Really?  If the IT team does not have visibility into how the end-user is accessing the company’s sensitive and confidential data, who does.  In these entities, does the leadership ordain it’s every man or woman for themselves? Where is the security architecture demonstrating to the data custodians the state of their data with respect to security and privacy at all times. As we come to the end of 2016, this has long been table stakes for any entity involved in retaining or processing personal identifying information (PII).

The survey went on to show how the financial service industry was the most egregious and experienced 19 percent of the breaches within the population of the survey respondents, with the public sector following.

We can do better

What I found most disturbing though, was the lack of C-suite support, coupled with the lack of expertise addressing the protection of the sensitive and confidential data. Thus the C-suites choose to lead with their chins as they embrace the age-old infosec technique called, luck.

Therefore, we are forced to admonish any and all entities, do not collect what you can’t protect.   Do not rely on obscurity as a viable defense.  Do not assume because your company is small in size the PII in your possession, for employees, partners or customers does not have value.  And finally, do not allow any third party access to your data until you understand how they are accessing this data and how they are protecting your data. Do be a part of the 40 percent of respondents who wanted to know if a material breach occurs, and if you are the CISO, head of IT or CSO, please do ensure your board is aware of the security threats facing the company.

To do nothing is not an option. If you need help, reach out to the security, privacy and intelligence professional of your choice.