Most data breaches are small and go undetected for a long time, according to a report from Advisen, an insurance analytics firm. When they are detected, most organizations lack the internal resources to handle breach response, putting them at greater risk for costly fines and lawsuits, reputational harm and customer identity theft, according to the report.
Eighty percent of organizations are concerned about the consequences of a large breach and the impact it will have on their business, according to the findings. While 64 percent of those surveyed have cyber insurance, most small breaches aren't covered, leaving organizations struggling with managing gaps in cyber insurance coverage.
"The report indicates that there is a lot of concern about data breach impact and uncertainty about data breach response best practices. Most organizations are not prepared to manage the high-risk, high-threat landscape in which we do business," said Jeremy Henley, director of breach services at ID Experts, which sponsored the report. "Sixty percent of respondents rely solely on the IT department to manage data breach response. However, best practice is a cross-functional team with a combination of specialties to handle a data breach to fully protect the organization and meet privacy and regulatory compliance."
If they collect or store sensitive data, organizations of all sizes and in all industries are exposed and are at risk for data breach. Organizations that proactively prepare for and manage data breach risk will significantly reduce breach impact. However, the report finds that organizations are not prepared for data breaches, due to inadequate resources.
The majority of breaches involve fewer than 500 records, and may go undetected for a long time. Eighty percent of organizations are concerned about the consequences of a large data breach and the impact it will have on their business. More than half (55 percent) don't believe their company has adequate resources to detect breaches, so many breaches may go undiscovered. Seventy-five percent of respondents have developed an incident response plan, but only 42 percent have tested the plan. Seventy-two percent of respondents said they conduct a cybersecurity and privacy risk assessment at least annually. However, they may not have a consistent process in place for effective assessment, resulting in errors or inconsistencies.
The majority of organizations use internal resources to manage small but high-frequency breaches. In fact, 60 percent of respondents rely solely on the IT department to manage data breach response. However, IT on its own is generally not equipped to handle data breach compliance and regulatory requirements.
Access the complete report.