This year, more UK businesses of all sizes have invested in response plans than ever before (78%). This shows a greater awareness of cybercrime and a positive step in the right direction. However, when you dig below the surface, our latest research shows that the effectiveness of many of these plans is controversial.
How can we say this with authority? Well, Experian commissioned research consultancy ComRes to conduct a survey of IT business decision-makers about their data breach response plans and attitudes. And many of the findings have surprised even us.
For example, 34% of businesses questioned admitted their data breach response plans do not include customer notification and a staggering 43% do not include legal cover. As a business is in danger of breaching regulatory requirements if it does not notify customers of a breach within the required timeframe (EU General Data Protection Regulation), legal counsel could stop you breaking the law and incurring hefty fines.
But that’s not all the EU GDPR demands. Businesses are also legally obliged to understand unequivocally what data has been lost following a breach. And yet, 84% of businesses do not have forensic analysis included in their plan.
Lack of understanding
Far from a deliberate or a case of turning a blind eye, we believe the lack of rigorous response plans is due to a fundamental lack of understanding about the harm a data breach can do to a business.
The halo effect
In a worse-case scenario, a breach can be fatal for a company, especially a small one. Even if a company survives, the halo effect of financial and reputational implications can rumble on for some time. Organisations that are not fully prepared and that have not invested in far reaching data breach response strategies could suffer the costs of lost business, fines and the impact on brand credibility.
Here’s a snapshot of how organisations can protect themselves against data breaches:
• Establish an internal response team, including specific responsibilities
• Appoint legal counsel
• Have IT forensics in place
• Identify PR and crisis comms strategy
• Ready a customer services and notification plan
• Invest in a data breach response partner
Find out more about how Experian help organisations put readiness plans in place so they can know, prepare, and recover with confidence in the event of a data breach.
Read our whitepaper: Readiness vs The Reality
ComRes interviewed 200 Business IT decision-makers in Great Britain (Online) between 9th – 16th January 2017. Respondents were surveyed across a variety of sectors and business sizes, ensuring good representation from all business types. All were screened to ensure they were involved in or aware of data breach management at their organisation, and all organisations had to be responsible for at least 100 Personally Identfiable Information (PII) records. Given the subject of the survey, respondents in the IT and Financial sectors are over-represented. ComRes also conducted similar research in 2016 with SMEs.
ComRes interviewed 2,001 British adults online between 13th and 15th January 2017. Data was weighted by age, gender, region and social grade to be representative of all British adults aged 18+. ComRes also conducted similar research among British adults in 2016 and 2015.
ComRes is a member of the British Polling Council and abides by its rules. Data tables are available on the ComRes website, www.comresglobal.com.