More than 70% of executives say their organisations do not understand fully the risks associated with data breaches, a Ponemon Institute survey has revealed.
Less than half of top executives, including board members, are kept informed about the breach response process, according to the 2014 Executive Breach Preparedness Research Report, commissioned by HP.
Of the nearly 500 senior executives polled in the UK and the US, only 45% said they were accountable for the incident-response process.
The survey on the importance of senior executive involvement in breach response found that while 79% of respondents said executive-level involvement is necessary to achieving a successful data breach response, only 70% believed board-level oversight was also crucial.
The survey also revealed that only 45% of executives considered their own enterprise’s incident response process as either proactive or mature.
Be prepared for a data breach
According to the report, an important step to making these plans more effective would be to take into account both the value and importance of data to an organisation’s business operations.
“Without a well thought out plan in place, and without the proper guidance, training and process instituted throughout the organisation, executives can stumble when dealing with the public outcry once sensitive data has been compromised,” said Arthur Wong, senior vice-president and general manager for enterprise security services at HP.
The survey showed that senior executives are more concerned about the threat within than external risks caused by cyber criminals and hacktivists.
Some 42% of respondents said they worried most about negligent insiders, followed by 25% who said they were concerned about malicious insiders.
Some 57% of respondents admitted the loss or theft of more than 10,000 records containing confidential or sensitive information would constitute a significant data breach.
In terms of cost, the survey revealed that a data breach that averages approximately $2m would be considered significant.
The financial consequences from a security breach can be severe, according to the Ponemon Institute, costing 38 UK organisations an average of £3.56m a year, ranging from £545,000 to £14m.
“No amount of spend can completely protect organisations from highly sophisticated cyber attacks, but how prepared an organisation is in the event of a breach can mean the difference between a speed bump in the road or a catastrophic business event,” said Wong.
To help executives prepare for a breach, HP has developed free online resources to determine the amount of risk an organisation faces and its readiness to respond to a breach.
These resources include a study exploring how 300 global organisations plan and use best practices to prepare for cyber security incidents, along with a breach response assessment benchmarking tool.
The online resources also include scenarios, best practices and benefits in planning that will help an organisation understand the response plan and how to be prepared in the event of a data breach.
Data breach response is a board-level issue
According to the Ponemon Institute, senior executives and boards of directors may have been complacent about the risks posed by data breaches and cyber attacks in the past.
“However, there is a growing concern about the potential damage to reputation, class action lawsuits and costly downtime that is motivating executives to pay greater attention to the security practices of their organisations,” the report said.
The study confirmed senior executives’ motivation to become involved in breach response to help reduce the financial impact of potential incidents and to protect their companies’ reputation and brand, the Ponemon Institute said.
According to the study, the primary barriers to an effective breach response are poor communications, lack of leadership and lack of board input.
Other research has shown that IT and security practitioners often have a difficult time talking about security risks with senior executives, especially when it involves explaining the consequences of a data breach.
In one Ponemon Institute study, 65% of IT practitioners surveyed said that when asked to provide a report on a security incident that had major consequences for the organisation they would modify, filter or water-down reports about a security incident.
It is likely, therefore, that many CEOs, directors and other corporate leaders are in the dark about the state of their organisations’ breach preparedness, the Ponemon Institute said.
Read more on incident response:
Heartbleed security bug offers lessons in incident response
Bruce Schneier: Incident response management breaking new ground
How to integrate Siem system capabilities with incident response
Telco firm cuts incident response time by 80%
Incident response planning for DNS attacks against enterprises
Cloud incident response planning: Know cloud provider responsibilities
Information security incident response teams need plans and partners
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Related content from ComputerWeekly.com
RELATED CONTENT FROM THE TECHTARGET NETWORK