Businesses, including retailers, are spending more money to detect and respond to data breaches, but they aren’t regularly updating their plans, a new study finds.

Businesses are beefing up their budgets to prepare for the prospect of a computer system breach, but once they have a security plan in place, few bother to update them.

That’s according to a report released Wednesday by Ponemon Institute LLC titled, “Is Your Company Ready for a Big Data Breach?” Ponemon Institute polled 619 professionals across the United States who work in information technology security, compliance and privacy positions. Professionals in financial services (19%) comprised the largest segment, followed by the public sector (12%), healthcare and pharmaceutical firms (10%) and retail (9%).

Among the survey respondents, 86% said their company has a plan in place to respond to a data breach, up from 81% last year. And 59% agreed or strongly agreed that their company is prepared to respond to the theft of sensitive and confidential information that requires notification to victims and regulators.

Yet only 41% of respondents said their company was able to respond to a data breach involving confidential information and intellectual property, and just 27% percent were confident in their ability to minimize financial consequences and reputational damage if there were a breach, according to the report.

In this year’s study, 52% of the companies that respondents worked for had a breach in the past two years, up from 49% percent last year, and 66% percent of respondents said their organization suffered multiple breaches.

advertisement

Breaches aren’t uncommon within retail. For instance, hackers took down Newegg Inc.’s site last October demanding a ransom of bitcoin digital currency, a ransom the company says it did not pay.

But while companies are spending more and trying to prepare, respondents said their employers don’t regularly update response plans.

“A deterrent to an effective data breach response plan is keeping it current with changes in the risks and threats facing a company,” Ponemon writes in the report, but doesn’t specify how often a response plan should be updated.

29% of all respondents said their company hasn’t updated their data breach response plan since it was implemented, an improvement from the 35% who gave that response last year. Another 24% said their plan gets updated once a year, up from 20% last year.

advertisement

“When it comes to managing a data breach, having a response plan is simply not the same as being prepared,” says Michael Bruemmer, vice president at Experian Data Breach Resolution, which commissioned the Ponemon study. “Unfortunately many companies are simply checking the box on this security tactic. Developing a plan is the first step, but preparedness must be considered an ongoing process, with regular reviews of the plan and practice drills.”

Other findings include:

  • 58% of the IT professionals said their company has spent more on data breach detection and response technology in the past year, up from 54% when the study was conducted last year.
  • 46% reported feeling either “not confident” or having “no confidence” that their employer would be able to respond to an international data breach.
  • 50% said their company’s data breach response plan has guidance in place for dealing with an extortion attempt, up from 16% last year.
  • 38% said they have a data breach or cyber insurance policy. Among those that do not have such a policy, 40% have no plans to purchase one.
Favorite