Canadian Underwriter
News

Most breaches at surveyed U.S. organizations small and undetected: report


March 15, 2016   by Canadian Underwriter


Print this page Share

Data breaches know no boundaries when it comes to industry or size, with most surveyed organizations in the United States likely having experienced a breach, the majority of which are small and may go undetected for a long time, suggests a new report from information and research provider Advisen Ltd.

Most polled U.S. firms unprepared for proper data breach response

Even when breaches are detected, “most organizations lack the internal resources to handle breach response, putting them at greater risk for costly fines and lawsuits, reputational harm and customer identity theft,” notes an Advisen statement last week announcing the release of Mitigating the Inevitable: How Organizations Manage Data Breach Exposures, sponsored by software and services provider ID Experts.

Survey results show most respondent organizations – 80% – may be concerned about the prospect of a large data breach and its impact on their businesses. “If they collect or store sensitive data, organizations of all sizes and in all industries are exposed and are at risk for data breach,” the statement notes.

Despite the concern over a breach’s impact on business, however, “most organizations are not prepared to manage the high-risk, high-threat landscape in which we do business,” cautions Jeremy Henley, director of breach services at ID Experts.

Organizations that proactively prepare for and manage data breach risk will significantly reduce breach impact, Advisen argues. Still, report findings show that most respondents are not prepared for data breaches because of inadequate resources.

Pointing out that 60% of respondents report relying solely on the IT department to manage data breach response, Henley contends that this approach is at odds with best practice, which involves employing “a cross-functional team with a combination of specialties to handle a data breach to fully protect the organization and meet privacy and regulatory compliance.”

The majority of polled organizations use internal resources to manage small, but high-frequency breaches, Advisen reports. “However, IT on its own is generally not equipped to handle data breach compliance and regulatory requirements,” the statement adds.

Beyond not being prepared to manage breach response, findings indicate that respondents are struggling with managing gaps in cyber insurance coverage. Almost two-thirds – 64% – of organizations polled have cyber insurance, but most small breaches (defined as less than 500 records) are not covered.

“While cyber liability insurance has proven effective in covering many cyber-related losses, the majority of small breaches often fall below cyber insurance policy deductibles that trigger coverage, leaving organizations to manage and pay for all breach response,” Advisen notes in the statement.

These are the same small breaches that are going undetected. Why?

“Many organizations do not have the qualified resources, processes or systems in place,” says Aloysius Tan, product manager at Advisen. Respondents report being “most interested in help with forensics, protection services, pre-breach services and call centres,” Tan continues.

Other key survey findings include the following:

  • 55% of respondents say they do not believe their respective company has adequate resources to detect breaches, so many breaches may go undiscovered;
  • 75% of respondents report having developed an incident response plan, but only 42% say the plan has been tested; and
  • 72% of respondents note they conduct a cyber security and privacy risk assessment at least annually, although they may not have a consistent process in place for effective assessment, resulting in errors or inconsistencies.

The report did find that many organizations are taking key steps to prevent and detect data breaches. That said, “many are not prepared for or lack the resources to manage data breach response, including the legal and regulatory requirements,” the statement adds.


Print this page Share

Have your say:

Your email address will not be published. Required fields are marked *

*