Many companies haven't updated their data breach plans since developing them, report a lack of adequate employee training on data protection, and still haven't figured out how to guard cloud services and mobile devices, according to a new study.

The "Seventh Annual Study: Is Your Company Ready for a Big Data Breach?" was sponsored by Experian Data Breach Resolution and conducted by Ponemon Institute.

"I was surprised that two out of three respondents said they haven't reviewed or updated their data breach preparedness plans," said Michael Bruemmer, vice president of data breach resolution and consumer protection at Experian. "Preparedness plans can't be a binder on a shelf that are not active and fluid plans. They should be reviewed and updated at least on a yearly basis."

Bruemmer said a main takeaway from the report for general counsel is that "their clients are not preparing enough by practicing [data breach drills] and updating their response plans. They should work with clients to ensure this piece is a well-oiled machine."

He also recommended that general counsel ensure their companies have all data breach response partners in place, from forensics to call center support to identity theft protection.

"Companies do not want to be sourcing and vetting partners after a breach has occurred," Bruemmer warned. "These partners should be a regular member of the response team and participate in the practice drills."

He also encouraged more employee training, saying, "Employees have always been the weakest link in the security fence." Bruemmer said the lack of training is the easiest security protocol to implement "and one of the most important."

As for the report finding a lack of security around mobile devices, he said, "Mobile devices are certainly not going away and, again, employees should be trained on security protocols."

Respondents reported the same worrisome issues with cloud security this year that they reported in a 2018 study. "It seems that not much progress has been made in tackling the cloud platform," Bruemmer noted.

The study showed that 55% of respondents believed their C-suite executives knew the company's plan to deal with a breach, but Bruemmer said the number should be higher. He recommended that general counsel make sure the CEO and C-suite "are knowledgeable and prepared for a data breach response. We have witnessed many leaders ill-equipped to handle the consumer response after a data breach."

In a recent article from the Law Journal Newsletters, ALM affiliate publications, a group from Eversheds Sutherland said the worst-case scenario for a company is not the breach itself, but the resulting reputational damage, regulatory enforcement action, business interruption and inevitable litigation. The group was led by Michael Bahar in Washington, D.C., the co-head of the law firm's global cybersecurity and data privacy team, and previously general counsel for the minority staff of the U.S. House Intelligence Committee and deputy legal adviser to the National Security Council.

The Eversheds article advised, "It is important to adjust planning assumptions and response scenarios to focus on addressing these drivers of post-breach exposure."

From a reputation standpoint, only 23% of respondents in the Experian study said their organization is confident in its ability to minimize the financial and reputational consequences of a material data breach.

In addition, Bruemmer warned of two types of future threats. "As cities install more free public Wi-Fi systems, hackers will take to the skies via the use of readily available drones to steal data from devices connected to the unsecure networks," he said.

Another evolving threat, he added, is the use of so-called "deepfake" video and audio technology to steal data and money, or to disrupt businesses. "We have already seen this come true in a few cases" where executives were deceived into allowing thieves to steal from their companies, Bruemmer said.

The Experian study surveyed 650 professionals in the United States, and 456 in the Europe/Middle East/Africa region. All respondents work with data breach planning and are in compliance, privacy, information technology and IT security.

In other findings, the study said:

  • About 36% of respondents reported their organization had a ransomware attack last year with only 20% feeling confident in their ability to deal with it. The average ransom was $6,128 and 68% of respondents say it was paid.
  • Spear phishing attacks are pervasive, with 69% of respondents reporting one or more attacks and 67% saying the negative consequences of these attacks were very significant. Bruemmer called these threats "rudimentary at this point, and … a strong employee training program against these attacks [is] a must."
  • Some 68% of respondents said their company has put more resources toward security technologies to detect and respond quickly to a breach. Still data breaches are increasing, with significantly more organizations reporting data breaches than ever before. "Consequently, confidence levels among executives to thwart spear phishing and other common attacks have declined," according to the report.
  • More organizations at 54% report they have a high ability to comply with the European Union's General Data Protection Regulation, compared with only 36% a year ago.