2015 Benchmark Survey State of Association Data Breach Preparedness Report

Transcription

1 2015 Benchmark Survey State of Association Data Breach Preparedness Report Data is a critical component of an association s success. Membership data. Events data. Certification and other program data. They are the bedrock that supports an association s operations and enable the delivery of knowledge, insights and value. Associations have the same obligation as for-profit companies to protect the personally identifiable information of its membership, staff, vendors and partners. The skyrocketing rate of data breaches and cyber attacks make it imperative that associations get their houses in order with respect to data security and privacy. However, the results of this benchmark survey on data breach preparedness suggest there is a lot of work to do. The survey findings are not representative of the association community as a whole. They represent a small sample of 80 associations. However, they are useful as a rough yardstick to evaluate and compare your data security awareness, policies and response plans. This report reflects responses by individual, trade and hybrid membership organizations, and a cross section of CEOs and senior staff from Finance, Operations, IT, Membership and Human Resources. The survey examines responses by size of association staff and membership; association structure, and the type of sensitive data collected. This report also looks at the level of access to personally identifiable information, whether respondents have experienced a data breach, the impact of that breach, and the number of associations with data security response plans in place. Objectives The purpose of this survey is to establish a starting point for trade and membership associations to assess their degree of protection of personally identifiable information, and their level of readiness in the event of a data breach. 1

2 SUMMARY OF RESULTS As measured by number of employees, the survey findings represent associations of all sizes, with responses fairly evenly split into quartiles. The smallest and largest associations represented a full 50% of respondents, with the other 50% spread across four staffing tiers. 2

3 Type of Association By organizational structure, professional membership associations represented 40% of participants, trade associations 29%, and hybrid organizations, 31%. As measured by the number of individual members, associations with 2,000 or fewer members represented the greatest participation, at 42% of respondents. Data Breaches Three associations that participated in the survey have experienced a data breach as a result of phishing and malware. In each case, associations notified their members, and as applicable, their vendors and partners. One association also reported damage to its brand. 3

4 The small number of breaches reported in this survey is not representative of the association population as a whole. At least a dozen associations have publicly disclosed security breaches in 2015*; however, the total number of security incidents is unknown, as not all organizations disclose this information unless required by law. Security Awareness Training Information security awareness training is perhaps the simplest and most impactful opportunity for improvement by associations, yet only half of the associations surveyed provide it. These results are in line with recent corporate statistics, which put awareness training between 50-60% of company employees.** One area addressed in security awareness training is password management. In this survey, approximately 58% of association respondents require passwords to be changed every three to six months, while 38% had no password requirements at all. 4

5 Access to Sensitive Information Safeguarding sensitive or personally identifiable information is critical to preventing cyber intrusions and required by law in many states. Associations collect, store and maintain a wealth of personally identifiable and financial data: date-of-birth, marital status, social security numbers, performance evaluations, payroll, bank account numbers, credit ratings etc. In general, the more individuals with access to sensitive data, the greater the risk that confidential information will be compromised. This survey only asked for the number of staff with overall access to personal and/or financial information. Future surveys will break this down to look at the limits and scope of access. 5

6 Data Breach Response Plans While 85% of participants said a data breach response plan was very important or somewhat important, only one-third of the associations have one. In addition, fewer than half of the associations, 44%, had a specific data security function in their organizations. 6

7 Who is Responsible? The primary responsibility for managing a security breach response rests with a cross-section of functions. In small association with 20 or fewer employees, responsibility was more likely to rest with the CEO or Executive Director. In larger organizations, responsibility was more often the function of IT staff. * Source: ** Source: Enterprise Management Associates 7

8 About SCIPP International SCIPP International is a global 501(c)(3) non-profit organization dedicated to solving information security problems where they need to be solved at the human level. Based in Washington, D.C., SCIPP delivers information security awareness education and certificate programs for enterprises throughout the world. The programs focus on increasing understanding and instilling positive behavioral changes as they relate to protecting important information assets. 8