The second annual study on data breach preparedness was released by the Ponemon Institute on September 24, and the study indicates that the number of companies that have had a data breach is on the rise.

Ponemon Institute conducts independent research on privacy, data protection, and information security policy.  For the September 2014 study, Is Your Company Ready for a Big Data Breach?, Ponemon Institute surveyed 567 U.S. executives from organizations ranging in size from less than 500 to more than 75,000 employees about how prepared they think their companies are to respond to a data breach.

It appears that for an overwhelming number of the study’s participants, the answer to “Is your company ready for a big data breach?” is, unfortunately, “No.”

 Here are a few of the study’s key findings:

“Data breaches are increasing in frequency”:  In the 2013 study, 33 percent of respondents reported that their companies had a data breach involving the loss or theft of more than 1,000 records containing sensitive or confidential customer or business information in the prior two years.  This year, the percentage increased to 43 percent.  A full 60 percent of respondents report that their companies have experienced more than one data breach in the past two years.

“Current data breach preparedness programs often fail to deal with all consequences of an incident”:  According to the study, respondents are slightly more pessimistic about their organizations’ ability to manage the public’s perception of the breach than the organizations’ ability to actually respond to the data breach.

  • 68 percent of respondents do not agree that their organizations understand what needs to be done following a material data breach to prevent negative public opinion, blog posts, and media reports. 
  • 67 percent of respondents do not agree that their organizations understand what needs to be done following a material data breach to prevent the loss of customers’ and business partners’ trust and confidence.
  • 62 percent of respondents do not agree that that their organizations are prepared to respond to a data breach involving business confidential information and intellectual property.
  • 49 percent of respondents do not agree that their organizations are prepared to respond to the theft of sensitive and confidential information that requires notification to victims and regulators.

“More companies have data breach response plans but they are not considered effective”:  Although the percentage of respondents who report that their organizations have a data breach response plan in place increased from 61 percent in 2013 to 73 percent in 2014, only 30 percent of respondents characterize the development and execution of those data breach response plans as “effective” or “very effective.”

“Fire drills, senior executive oversight and an adequate budget are considered key steps to improve data breach response”:  The study asked respondents to identify ways in which their data response plans could become more effective.

  • 77 percent of respondents think it is important that their companies conduct more fire drills to practice the data breach response.
  • 70 percent of respondents think data breach response plans need more participation and oversight from senior executives.  According to the study, only 29 percent of respondents report that the board of directors, chairman and CEO are informed and involved in plans to address a possible data breach.
  • 69 percent of respondents think a company needs a dedicated breach preparedness budget.