Good news for security leaders. More executives and boards are taking an active interest in breach preparedness efforts. And the trend is improving.
This comes from the Experian Third Annual Study on Data Breach Preparedness (download here). It captures the perception of breach preparedness from 604 executives. Surveys like this are fantastic cues for where to explore and focus. More so when it includes trend information.
Some highlights that suggest progress:
81% (an increase from 73% in 2014) have a response plan in place
82% require a business partner or third party to have an incident response plan they can review
Senior executive involvement up 10% from 2014. Now 39% of officers and directors involved in incident response planning.
More companies have a cyber insurance policy (35%) compared to 10% in 2014
Perhaps this signals an increase in adoption of the “anticipate breach” mindset (slideshow). The survey also reveals some areas to focus on. Only 34% of respondents say their organizations’ data breach response plan is effective.
When pressed to explain why, we learn:
45% report their awareness and training programs are not reviewed and updated to address the areas of greatest risk to the organization.
45% say their companies either do not practice responding to a data breach or wait more than two years to practice
43% do not or are unsure if they have an employee training program
37% of respondents do not address procedures for responding to a data breach involving an overseas location
As Michael Bruemmer, vice president, Experian Data Breach Resolution explains, “Despite today’s threat landscape, many companies still underestimate the impact of data breaches as a corporate issue – viewing data security as an IT issue instead of a business problem.”
An interesting finding: the action of companies “getting it right”
I enjoy the briefings that come with the survey results. It lets me ask questions to get into the meat of what was actually learned. I asked Bruemmer if the survey revealed anything useful about the companies that seem to be “getting it right.”
With a smile in his voice, he shared this insight: “Often, the companies that are most prepared to respond to a data breach have a cyber insurance policy in place. Of the 604 executives we surveyed, 35 percent indicated they have a cyber insurance policy. That is a big jump considering only 10 percent had a policy in place when we first conducted this survey in 2013.”
I’ve talked about the importance of insurance at conferences and on podcasts. While still in the infancy stages, this is a significant development. I recently wrote about how the cloud improves security as a “forcing function.”
Insurance is a forcing function, too. The increase in insurance policies sets an intention that drives action.
Executives know they can’t just write a check. The process of underwriting includes some level of review and discussion. It advances preparedness. And that’s the opportunity for security leaders. Get involved to understand and guide better choices.
The opportunity in teaching others
Bringing up “security awareness” is a sure-fire way to rile me up. We often confuse awareness and training. But it came up during our discussion. Bruemmer stressed the need to improve training for frontline employees.
If we asked your executive team if you have a training program in place, what would they say?
In this survey, 43% said they have no idea.
Your leadership opportunity
Understanding executive concerns is a cue on where to focus. At least where to start. In this survey, the loss or theft of intellectual property (64%) and consumer data (53%) topped the list.
How does that match your experience in your organization?
It might be the perfect place for conversations with others. Share the information. Ask them if they share the same concern. If they do, explore what intellectual property and customer information is most important. Work to align your assets and efforts to better protect that information.
Involve the executives. Elevate their confidence in your leadership. Introduce the mindset of anticipate breach.
As Bruemmer points out, “If a company has a security mindset, it is cascaded down from the board level. The companies that have this mentality have fewer data breach incidents and a better culture.”