Companies that experience a data breach are being more thorough in assessing the damage of a security breach rather than swiftly notifying victims, according to a new survey conducted by the Ponemon Institute.
Forensics helps an organization to be more surgical and find out who’s actually at risk.
Larry Ponemon, chairman of Ponemon Institute
The three most useful ways to reduce the negative consequences of a security breach are to hire outside legal counsel, assess the potential damage to victims and hire computer forensics experts to investigate the breach, according to the survey of nearly 600 IT professionals.
“People want to have a studied and thorough approach and not over-report,” said Ponemon Institute founder and chairman Larry Ponemon. In short, companies would rather know whether the data breach actually endangers the security of the victims’ identity and financial security before telling them their information has been leaked. Over-reporting can cause a major loss in trust between a company and the victims, Ponemon said.
“Forensics helps an organization to be more surgical and find out who’s actually at risk,” Ponemon said. The results of a careful investigation can help guard against future data breaches, he said.
The Ponemon survey reached 584 IT professionals who indicated they were from organizations that experienced a data breach in the last two years. The data breaches prompted senior leadership to more fully embrace data security and as a result IT security budgets increased for most organizations, according to the survey.
Insider threats feared the most
The majority of IT professionals surveyed agree that investigating a breach helps prepare the company for future breaches. According to the report, 61% said that their “employees are now more careful to protect sensitive and confidential information.”
Insider threats, mostly poor handling of sensitive data by employees, is at the root of many data breaches, according to the survey. The survey found that 34% of participants who could identify the cause of the breach say it was due to a negligent insider rather than a malicious cyberattack (7%). In addition, 19% of participates indicated that a breach was caused during the outsourcing of information, while malicious insiders accounted for 16% of breaches.
The most cited technique for prevention is the integration of new employee training and awareness about data breaches.
Endpoint security, data encryption
Aside from training and awareness, there has also been an upswing in organizations controlling endpoints to their systems, hiring outside counsel to provide legal advice and establishing incident response plans.
Controlling endpoints, such as employee smartphones, has become an important part of securing corporate data. Ozzie Fonseca, senior director of Experian Data Breach Resolution, who sponsored the survey, said the relationship between mobile devices and policy is too disconnected.
“Companies should provide mobile devices in order to monitor the access they have,” he said. People who are connected to work 24 hours a day need to have access. However, Fonesca warns that employers must retain control by limiting the data available, encrypting it, and reserving the right to wipe any device that has been lost or stolen.
Fonseca is surprised that 60% of corporate data -- including personal information, login credentials, medical records, etc. -- is still not being encrypted. Although to him it seems like commonsense, data security is often sidelined in favor of investments that make money.
“There’s complexity in IT on the increase, and until an organization has a security breach they are looking more at efficiency and productivity,” Ponemon said. Often security measures like encryption and the hiring of additional IT security staff aren’t observed until after a breach.
Ponemon is optimistic to see a slow but steady increase in the number of companies encrypting their data, but agrees that the industry has a long way to go.
“A lot of organizations don’t have an incident response plan in place, or they have one but it’s just words on paper that they’ve never tested,” he said. And while one company might learn from a breach, those that never experienced one unfortunately assume it won’t happen to them when they should be learning from others’ mistakes.