For many companies, the question is not will they experience a data breach, it's when and how often, according to survey results released.
Some 85 percent of 700 C-level executives, managers and IT security officers revealed they had experienced a data breach event, and about half of those admitted they had no incident response plan in place. Among the most common causes for the breach incidents were lost or stolen equipment such as laptops, PDAs and memory sticks. The second largest contributing factor involved negligent employees, temporary employees or contractors.
The survey, titled "The Business Impact of Data Breach", revealed the "pervasive problem" plaguing IT security officers in midsize to large US businesses in all industries, researchers say. US-based law and technology services firm Scott & Scott commissioned the survey, conducted by independent research firm Ponemon Institute.
"Our findings show that data breaches are a pervasive problem for most organizations in the United States today. We also show that despite negative repercussions in terms of cost outlays and reputation diminishment, many companies that experience a breach do not take appropriate steps to prevent future incidents," said Larry Ponemon, founder and chairman of the Ponemon Institute, in a press release.
The survey also shows that most companies are required to report the incident to subjects whose information was lost or stolen. Nearly 100 percent were required to give such notifications under state statutes, and some 60 percent were required to notify victims under federal privacy acts such as the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act. About 37 percent of respondents said they sent blanket notifications to potential victims, rather than precise details.
Of those organizations suffering a data loss, about three-quarters reported loss of customers, nearly 60 percent said they faced potential litigation and one-third faced potential fines. Another 32 percent said they saw a decline in their share value.
Yet most respondents reported little or no monetary harm to data subjects. Researchers say the findings highlight the need to reform notification requirements, "which can be detrimental to businesses especially when weighed against the perceived lack of real benefit to consumers".
"The common perception held by many respondents is that monetary impact to data breach victims is nonexistent or negligible. In other words, respondents believe that the notification requirement may not provide tangible consumer benefits such as preventing possible future economic harms," Ponemon said.
Lastly, the survey results show that despite the frequency of such events, IT security technologies such as encryption and authorization are not yet in place at many of the companies polled. About 46 percent of those surveyed said they had yet to deploy encryption technology on portable tools following known data losses. Another 42 percent of respondents said IT security spending will remain the same in the coming year.
"I'm most surprised that IT security solutions such as encryption and authorization technology are not being deployed by most companies today," Ponemon said.
Ironically, the survey also found organizations that suffered data breach events employed "substantially more IT and data security measures" than organizations that did not report experiencing a data breach.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.