UK firms horribly unprepared for data breach response
Two new studies reveal that despite a third of UK businesses suffering a breach in the last year, most organisations severely overestimate their readiness to respond to an incident.
On Tuesday, BlueCoat and Experian released independent reports which painted a bleak picture of UK firms' information security practises, finding in particular that companies didn't have appropriate incident response plans, or carry out appropriate risk and security assessments.
In a study which consulted 1,580 infosec professionals, BlueCoat found that nearly a third of UK businesses admitted to a data breach in the last year. However, despite this, it was the high-profile breaches (cited by 61 percent of businesses) which had driven home the importance of cyber-security, compared to 38 percent and 36 percent of German and French respondents.
The study also found that UK firms would sometimes deploy new technology without thinking of risk and security. While two-thirds of Chinese and Indian companies conduct security risk analysis before deploying new technology, only 59 percent of UK and 37 percent of German firms do the same. Two-thirds of UK firms believe their IT teams hold back on risk assessments for new technology, compared to Chinese companies who believe IT teams support new technologies.
Meanwhile, over at Experian, the firm had carried out research and published a white paper gauging the impact of data breach on UK businesses. After surveying 400 senior business executives, the company found that a third of businesses (34 percent) do not have a data breach response plan in place and of those, a quarter do not include specialist crisis communications (23 percent) or legal support (27 percent) while another third had not considered digital forensics.
Only one third have specific budgets set aside to deal with data breaches while just under half had no reporting procedures for lost data or devices (39 percent) or had breach or cyber-insurance policies (43 percent).
Less than half of organisations (47 percent) would notify customers ‘as quickly as possible' following a data breach and less than a quarter (21 percent) would offer an identity protection service to existing customers.
Experian recommends that IT security teams identify response teams, roles, responsibilities, who will be affected, direct involvement from the top, agreements with specialist suppliers (such as insurance, digital forensics, consumer support, crisis comms), integrate plans, regular testing and scenario planning “to ensure plans are relevant and cover all possible outcomes.
“Businesses suffering breaches have maybe had a bit of an easy ride from consumers until now, but that is changing. Increasingly, I think the effectiveness of the response is what an organisation will be judged on. If they are found wanting, that is where the reputation will suffer, not just because the breach happened in the first place” said Claire Snowdon, director of Regester Larkin, in the whitepaper.
“The data breach landscape is going to change a great deal, and very quickly over the next year. I'd expect to see notification as a mandatory requirement for everyone by 2016, so cyber-security, data compliance and breach readiness will have to become absolutely routine business practice. Right now, there is still a lot to learn,” added Margaret Tofalides, partner and head of UK & EU data and cyber security practice, Clyde and Co LLP.
Philip James, partner and head of technology and data privacy at Sheridans, told SCMagazineUK.com: “The two recent research reports highlight both the pro-active and reactive strategies boards can deploy. Not only to mitigate risk and limit liability, but to protect brand, retain value and remain ahead of the competition. The Imitation Game, depicting the life of Alan Turing, who defeated The Enigma Machine and decrypted coded messages at Bletchley (the pre-cursor to GCHQ), highlights the importance of intelligence and secure communications channels.
"Whilst in a more extreme military context, the film underlines that organisations can significantly increase their competitive advantage by keeping sensitive information confidential. And, in turn, that a failure to do so, can reduce any prior advantage.
“Whilst Turing managed, historians reckon, to shorten the Second World War by two years and save 14 million lives, companies can similarly increase revenue streams, protect IP assets and differentiate themselves by reviewing their data strategy.”
Steve Santorelli, director of intelligence and outreach at Team Cymru, told SC: “I think the main cause of poor breach response is the same worldwide, not just in the UK: lack of preparation. Folks think it will never happen to them. It will, and in fact it probably already has but you have probably not realised it.
“Preparing for a breach should really become part of your response planning for all IT security events: just as best practice is to have a BCP plan, you need to have a triage, notification, communication and media strategy planned, circulated and updated as staff join and leave.
“Handling a breach well, from the perspective of your customer base, has the potential to massively mitigate the potential impact. Doing the opposite can compound and prolong the pain a great deal needlessly.”