UK businesses exhibit “misplaced confidence” in their data breach response plans

A new Experian report (Data Breach Readiness 2.0 – The ‘Customer First’ Data Breach Response) has found that UK businesses are underprepared for cyber attacks and data breach incidents, yet exhibit “a misplaced confidence” in their ability to respond.

While UK businesses “claim to understand the risks, they are inadequately prepared to cope with the full impact of a data breach today, let alone in a future of tougher regulation in which customers really will vote with their feet.”

The EU General Data Protection Regulation (GDPR), due to be adopted this year, will increase the burden on European organisations that suffer a data breach, requiring them to notify affected individuals without undue delay, among other obligations. It is this “tougher regulation” that organisations need to prepare for.


Experian’s research found that:

  • “79% believe their organisation is prepared to respond to the theft or loss of sensitive and confidential information that requires notification to victims and regulators;
  • “81% believe the organisation understands what needs to be done following a data breach to prevent the loss of customers’ and business partners’ trust and confidence;
  • “76% say the organisation understands what needs to be done following a material data breach to manage negative media or public sentiment.”


When incident response plans are actually examined, however, they are found to have been “built up by a costly process of trial and error”, “preparedness is patchy at best and… customer engagement is almost an afterthought:

  • “34% do not have data breach response plans in place, and even of those who do, those plans are less than comprehensive…
  • “Only one third (33%) have specific budgets set aside to deal with data breaches…
  • “Less than half (43%) have data breach or cyber insurance policies in place;
  • “Just 47% would notify customers ‘as quickly as possible’ following a data breach;
  • “Less than a quarter (21%) would offer an identify protection service to existing customers, and only 10% would offer a credit monitoring service.”

Inadequate and tardy response

Experian concludes that “UK organisations are underestimating the complexities in planning for and delivering an effective and well-rounded data breach response, until it is too late” and that “UK businesses’ data breach response planning is an iterative process of trial and error”.

Best-practice cyber resilience

A properly prepared organisation will realise that information security alone will not guarantee its continued success. As cyber security incidents continue to increase in severity and number, the sensible response is to combine best-practice cyber security with business resilience to ensure, first, that there are adequate defences to rebuff most attacks, and, second, that if an attack is successful, the organisation is prepared to react quickly and effectively.

ISO 27001 and ISO 22301

Two international standards provide the guidance you need for a best-practice cyber resilience strategy: ISO 27001 and ISO 22301.

Four-solutionsISO 27001 is the international standard for information security management. It sets out the requirements of a management system that encompasses people, processes and technology for an enterprise-wide approach to managing information security risks.

For more information on ISO 27001 and to see how IT Governance’s fixed-price ISO 27001 Packaged Solutions will enable you to implement a best-practice information security management system (ISMS), whatever your budget or the timescale of your project, click here >>

ISO 22301 is the international standard for business continuity, and sets out the requirements of a business continuity management system (BCMS), which can be integrated into an ISMS to prepare an organisation to deal with the aftermath of a data breach incident. For more information on ISO 22301, click here>>