The good, the bad, and the scary from Experian's data breach report

Many security teams don't update response plans on a regular basis but complying with GDPR is getting easier.

Spear phishing and global attacks went up in 2019 but so did investment security technology spending. Security teams are also more confident about their data breach response plans, even though the number is only 57%. Experian and the Ponemon Institute shared the state of data breaches and defenses against these attacks in the seventh annual "Is Your Company Ready for a Big Data Breach?" report.

Experian has firsthand experience with a massive data breach. In 2015, Experian disclosed a data breach which led to the compromise of information -- including Social Security numbers -- belonging to 15 million consumers. The data belonged to T-Mobile customers; Experian processes credit checks for the wireless carrier.

Here is a recap of what is getting better, what is worse and what is still downright frightening. 

The good news: Stronger defenses

A majority of organizations are regularly reviewing physical security and access to confidential information. Most companies are also conducting background checks on new full-time employees and vendors. 

SEE: Encryption: A guide for business leaders (free PDF)

Just over half are conducting third-party cybersecurity assessments and integrating data breach response into business continuity plans. There has been an increase in subscriptions to a dark web monitoring service to 26% in 2019 from 19% in 2018.

Also, more companies are backing up data and systems more frequently and updating business continuity plans to account for potential ransomware attacks.

Companies are also finding it easier to comply with Europe's General Data Protection Regulation. Almost all the respondents had to comply with the law and 54% said they had a high or very high ability to do so. Companies are getting better at following rules around breach notification as well, with 50% rating this capability as high or very high, compared to 23% in 2018.

Respondents are still adjusting to California's Consumer Privacy Act and 56% report it will take comprehensive changes in business practices to do so. 

The bad news: More spear phishing

Spear phishing is getting worse has hasand IT pros are less confident in their ability to deal with it. 
Sixty-nine percent of respondents reported at least one spear phishing attack in 2019 and 67% said the consequences were significant or very significant.

In 2017, 31% of respondents said they were confident about dealing with spear phishing but the number dropped to 23% this year. Ransomware is even more of a threat, with only 20% saying they were confident or very confident in their ability to deal with those attacks. That number has not changed since 2017.

Respondents named lack of visibility into end-user access of sensitive and confidential information as the No. 1 barrier to improving data breach response. Security teams also are dealing with a lack of expertise and a lack of understanding of unsecured IoT devices. 

Respondents listed these top five responses to a question about how to make data breach response plans more effective:

  1. Assign individuals with a high level of expertise in security to the team
  2. Increase participation and oversight from senior executives
  3. Conduct more fire drills
  4. Incorporate lessons from previous breaches
  5. Have a budget dedicated to data breach preparedness

The scary stuff: No regular updates

The survey found that companies are not taking the basic step of updating their breach response plans on a regular basis. Forty percent of respondents said there was no set time period for reviewing and updating the plan and 26% said their plans have never been reviewed or updated. Just over a quarter said they do an annual update.

Even as the scope of the Internet of Things continues to grow, IT teams are not prepared to deal with attacks on these systems. Only 23% said they were fully prepared to deal with an IoT attack, in part because of a lack of understanding of unsecured IoT devices.

Security teams also are worried about international data breaches. These global breaches are on the rise, reaching 64% in 2019 as compared to 54% in 2017. Only 34% of respondents were confident in their ability to deal with a breach of this nature.   

Benefits of a mature security plan

This year, Ponemon and Experian asked companies about the maturity level of their security programs. Only 19% of respondents said their privacy and data protection plans fit that definition, meaning that activities are fully defined, maintained across the enterprise and measured with key performance indicators. 

Among these programs, C-level executives are regularly informed about the program's effectiveness. The survey found that companies that have a mature security plan are:

  • More adept at preventing negative public opinion and media coverage
  • Increasing investments in security technologies to be able to detect and respond quickly to a data breach
  • More likely to participate in sharing information about their data breach and incident response experiences with government and industry peers
  • Better prepared to manage an international data breach 

Survey methodology

The breach survey included 650 professionals in the United States and 456 in Europe, the Middle East and Africa.  All respondents work in IT and IT security, compliance and privacy and are involved in data breach response plans in their organizations. In this research project, a data breach is defined as the loss or theft of information assets, including intellectual property such as trade secrets, contact lists, business plans and source code. 

Also see

screen-shot-2020-02-21-at-2-43-29-pm.png

In a survey of more than 1,000 IT professionals, the Ponemon Institute found that only 26 percent of respondents say their data breach response plans are reviewed annually. 

Image: Ponemon Institute