Consequently, confidence levels among executives to thwart spear phishing and other common attacks have declined

Costa Mesa, Calif., Feb. 24, 2020 — While corporations today are more knowledgeable about security threats and prepared to respond to data breaches, there are key areas in which progress declined in 2019. Experian® today released its seventh annual corporate preparedness study, Is Your Company Ready for a Big Data Breach?, revealing that cybercriminals may still be one step ahead of companies’ security practices and investments.

Conducted by the Ponemon Institute, the study surveyed 650 professionals in the United States — and new this year — 456 in EMEA. To view the report, go to

Security investments and effectiveness in many categories increased

Sixty-eight percent of respondents say their organization has put more resources toward security technologies to detect and respond quickly to a data breach. More than half of those surveyed (57%) also reported that they believe their data breach response plans are “very” or “highly” effective, up from 49 percent in 2018.

More organizations are also taking additional steps to prepare beyond their data breach response plan. These steps include:
• Regularly reviewing physical security and access to confidential information (73%, up 3%)
• Conducting background checks on new full-time employees and vendors (69%, up 4%)
• Integrating data breach response into business continuity plans (56%, up 4%)
• Subscribing to a dark web monitoring service (26%, up 7%)

For the second year surveying respondents about the General Data Protection Regulation (GDPR), findings revealed some good news. Organizations have improved their ability to comply with GDPR with 54 percent of respondents saying they have a high or very high ability to comply with the regulation (an increase from 36%), while 50 percent of respondents have a high or very high effectiveness in complying with the data breach notification rules (an increase from 23%).
But data breaches are up and confidence levels are down

While more time and resources are being put toward preventing and preparing for a data breach, unfortunately, 63 percent of those surveyed reported they had a data breach involving more than 1,000 records, a 4 percent increase from 2018. There was a slight increase (1%) of those who had data breaches more than five times (12%).
Consequently, organizations are struggling in the following areas:

• Since 2017, respondents who say their organization is very confident or confident in their ability to deal with spear phishing attacks has declined from 31 percent to 23 percent. Sixty-nine percent of respondents had one or more spear phishing attacks in 2019.
• Thirty-six percent of respondents say their organization had a ransomware attack last year with only 20 percent feeling confident in their ability to deal with it. The average ransom was $6,128 and 68 percent of respondents say it was paid.

• From a reputation standpoint, only 23 percent of respondents say their organization is confident in its ability to minimize the financial and reputational consequences of a material data breach, while about a third (38%) believe they’re effective at doing what needs to be done following a data breach to prevent the loss of customers’ and business partners’ trust and confidence.
• With more breaches being international in scope, only 34 percent of respondents say they are confident in their organization’s ability to respond to global breaches.
• Two out of three (66%) respondents say their organization hasn’t reviewed or updated the plan since it was put into place or hasn’t set a specific time to review and update the plan.

“It’s a bit surprising to see that organizations have made great strides in certain areas, but not in others, especially when it comes to fighting rudimentary attacks, such as spear phishing or IoT and malware infiltration,” said Michael Bruemmer, vice president of Data Breach Resolution at Experian. “But, overall, with 94 percent of organizations having a data breach response plan in place, and a third deploying data protection program activities across the enterprise with C-level support, security postures have improved immensely. However, organizations shouldn’t let their guard down and should continue to invest in trainings, technology and external response partners.”

About Experian
Experian is the world’s leading global information services company. During life’s big moments — from buying a home or a car to sending a child to college to growing a business by connecting with new customers — we empower consumers and our clients to manage their data with confidence. We help individuals to take financial control and access financial services, businesses to make smarter decisions and thrive, lenders to lend more responsibly, and organizations to prevent identity fraud and crime.

We have 17,200 people operating across 44 countries, and every day we’re investing in new technologies, talented people and innovation to help all our clients maximize every opportunity. We are listed on the London Stock Exchange (EXPN) and are a constituent of the FTSE 100 Index.

Learn more at or visit our global content hub at our global news blog for the latest news and insights from the Group.

Experian and the Experian marks used herein are trademarks or registered trademarks of Experian and its affiliates. Other product and company names mentioned herein are the property of their respective owners.
# # #