Fish & Richardson and Corporate Counsel recently released the results of a survey they conducted on U.S. companies’ cybersecurity preparedness. The survey shows that, despite executive support for cybersecurity preparedness and risk mitigation, many companies are struggling to implement measures designed to prevent a cybersecurity incident or data breach. In addition to releasing the survey results, the authors offer a concise summary of the steps that companies should take to prevent and prepare for cybersecurity events. A white paper discussing the results of the survey, which was published by Corporate Counsel, is available here.
The Corporate Counsel-Fish & Richardson “Survey Report on U.S. Companies Cybersecurity Preparedness” is based on an online survey of in-house counsel that was conducted in September 2015. The survey measured the status of specific preparedness measures, such as whether the appropriate data security policies, procedures and training are in place. The survey also asked in-house counsel to rate the level of senior management and board of director support for cybersecurity preparedness and to specify hurdles to cybersecurity implementation and oversight.
The survey showed that most companies – even those with over $1 billion in annual revenue and global operations – are not sufficiently prepared for a cybersecurity event or data compromise. For example, one of the most critical components of an effective preparedness plan – an annual audit of vendors for data security and incident response – has been fully implemented by only 21% of the respondents.
“Companies that hold valuable information need to know that a breach is somewhat inevitable,” said Ed Lavergne, a principal at Fish & Richardson and co-author of the white paper. “By preparing in advance, they can avoid scrambling to manage a breach.”
Only three of 10 specific “best practices” preparedness measures – creating data security policies/procedures, creating an incident response plan, and annually auditing policies/procedures – have been fully implemented by at least 50% of respondents. Developing company-wide training programs, which is another best practice preparedness measure, has been fully implemented by less than half of the respondents. Approximately one-third of the respondents have only partially implemented these measures.
“While our survey results show that there is still a lot of work to be done, the good news is most companies have the support of both senior management and the board of directors,” said Donna Balaguer, a principal at Fish & Richardson and co-author of the white paper. “Protecting companies from cybersecurity events requires leadership from the very top, and we were pleased to find that C-suite executives and boards are so committed to these efforts.”
More than two-thirds of respondents claimed the level of instilled culture of security is either very high company-wide (22%) or at least high across the most affected departments (47%). In addition, 79% of respondents agree that their company has strong support across senior management for robust cybersecurity/data privacy policies and 72% believe that their boards are increasingly engaged in cybersecurity preparedness and risk mitigation.
However, lack of resources and lack of technical expertise were cited as two main issues hindering the legal department’s oversight of and involvement in cybersecurity risk. In addition, over 80% of respondents said the volume and variety of data privacy laws and regulations make compliance extremely difficult.
“This apparent disconnect between actual preparedness and management support is rooted in the fact that cyber-preparedness can be an overwhelming task,” explained Lavergne. “But if companies take a methodical step-by-step approach to improve cybersecurity preparedness, they can mitigate their risks,” said Balaguer.
The authors recommend specific steps that companies should take now to begin cybersecurity preparedness. First, senior management and the board of directors must commit to allocating resources. The next critical step is the formation of a cross-functional privacy committee, tasked with identifying data collected and how it is handled. This process will highlight potential risks, and a plan can be put in place for how to mitigate those risks. Policies must be drafted and implemented, and all employees formally trained.