The goal in IT security is, of course, to prevent identified risks from becoming data breaches. Even companies that are proactive with data security (performing regular risk assessments, updating systems, reviewing policies, conducting ongoing training) still suffer data breaches. The reality is that no plan is ever perfect and that, either through malicious intent or accident, breaches will still happen. The goal in IT security planning is to understand these risks, to minimize them, and then also to be prepared with an adequate data breach response plan to mitigate the fallout of a data breach.
Michael Bruemmer, VP at Experian Data Breach Resolution, notes in an article for Net Security that “it is more important than ever for companies to prepare for a data breach and stay ahead of the game.” Three themes are touched on in the article: the rise and fall of payment breaches, the growing threat of healthcare breaches, and the new breach surface via the Internet of Things (IoT). We agree with Michael on many of these points. Healthcare breaches are continuing to dominate, at 42% of all breaches in 2014 so far. And with the advances in IoT, a whole range of new breach vectors has opened up.
The article shared research from Experian on how often organizations are reviewing and updating their data breach response plans, with startling findings. Only 22% of organizations are reviewing & updating their data breach response plan at least once per year. The remainder have never updated theirs since it was launched (37%) or have no set time period for reviewing and updating the plan (41%).
Given the pace at which technologies and risks are changing, and even the subtleties of employee churn and acquisition, these time frames are troubling. Risk assessments, data breach policy reviews, and data breach response plans all should be reviewed on an annual basis to ensure that organizations are as prepared as possible.