Nearly 40% of organizations do not routinely review and update their data breach preparedness plans, according to a new study from the Ponemon Institute sponsored by Experian Data Breach Resolution.
The study also found that 26% of organizations don’t practice their preparedness plans. Of those, 64% of respondents said they don’t practice their plan because it's "not a priority."
Almost 30% of respondents that have a data breach preparedness plan in place have not reviewed or updated their plan since it was first implemented, the study found. Ponemon surveyed 619 U.S. security executives and staff employees.
The good news is, more data breach preparedness plans exist today. This year, 86% of the organizations polled said they have a plan in place, versus 61% in 2013. But just because they put a data breach preparedness plan in place doesn’t mean they are as prepared as they could be.
"When it comes to managing a data breach, having a response plan is simply not the same as being prepared," said Michael Bruemmer, vice president at Experian Data Breach Resolution. "Developing a plan is the first step, but preparedness must be considered an ongoing process, with regular reviews of the plan and practice drills."
Practice could certainly pay off if it helps a company avoid a breach. A September study from Kaspersky Lab found the average cost of recovery from a single security incident is estimated to be $86,500 for small and medium businesses and $861,000 for enterprises.