Companies are not moving quickly to deploy protections and adopt procedures to cope with a future data security breach, according to a new survey of more than 700 IT executives and security officers.
Of those surveyed, 85% of respondents said their business had experienced a data security breach. Despite the frequency of such security failures, 46% of those surveyed said their businesses didn't implement encryption solutions on portable devices even after suffering a data breach.
"We're dealing with lots of small breaches," said Larry Ponemon founder and chairman of the Traverse City, Mich.-based Ponemon Institute. "Data breaches have been a common event since organizations have been managing large amounts of data with technology, but middle and upper levels of management were removed from the daily event of a data breach."
The survey was conducted by the Ponemon Institute and commissioned by Scott & Scott, a Dallas-based law firm that handles data breach cases. Called "The Business Impact of Data Breach," the survey examines the responses of more than 700 US-based C-level executives, managers, and IT security officers in mid-size to large businesses spanning various industries.
Business executives have been keeping a close eye on the TJX Cos., which reported the largest data breach in history with the loss of more than 45 million credit and debit card numbers. While the company had encryption in place, the breach was the result of weak Wi-Fi security measures, according to investigators. Experts say there are many lessons to be learned from the TJX data security breach.
The survey found that only 43% of respondents said they had an incident response plan in place and 82% failed to consult with legal counsel before responding to an incident.
"The legal landscape governing data privacy is complex with 35 separate state regulations and numerous federal regulations that may be applicable to a particular incident," said Robert Scott, managing partner at Scott & Scott.
Nearly all the respondents said they were required to notify those whose information was lost or stolen because of state breach notification laws. The organizations sent blanket notifications, rather than precise notifications, according to the survey.
In many cases notification could have been avoided if encryption was in place. Ponemon said that encryption is in most cases the only answer to securing sensitive corporate and customer data. The high costs and performance issues attributed by many IT pros to encryption outweigh the risk of a major data security breach, Ponemon said.
"I think that you aren't a good practitioner if you don't implement encryption in areas where you have critical or sensitive information," Ponemon said. "If you're not implementing encryption you're just not doing your job."
In addition, the survey found that organizations that suffered a data security breach employ substantially more IT and data security measures than organizations that have not experienced a data breach.
Ponemon said it's unclear if organizations are reporting more IT and security measures in place because they spend more on security after a data breach has already occurred. Businesses with a larger IT staff may be more capable to discovering a breach, he said.
"We think a breach is motivating a behavior change," Ponemon said. "Organizations are making small steps and improvements after the fact."