Elizabeth Weise

USATODAY

SAN FRANCISCO — A staggering 43% of companies have experienced a data breach in the past year, an annual study on data breach preparedness finds.

The report, released Wednesday, was conducted by the Ponemon Institute, which does independent research on privacy, data protection and information security policy.

That's up up 10% from the year before.

The absolute size of the breaches is increasing, said Michael Bruemmer, vice president of the credit information company Experian's data breach resolution group, which sponsored the report.

"Particularly beginning with last quarter in 2013, and now with all the retail breaches this year, the size had gone exponentially up," Bruemmer said.

He cited one large international breach few Americans have even heard about. In January, more than 70% of South Koreans ages 15 to 65 — a total of 27 million — had their personal data stolen and credit cards compromised.

The breach was caused by a worker at the Korea Credit Bureau, which provides credit scores to Korean credit card companies.

While shadowy hackers in Eastern Europe often get the blame for these attacks, more than 80% of the breaches that Bruemmer's group works with "had a root cause in employee negligence," he said.

"It could be from someone giving out their password, someone being spear-phished, it could be a lost USB, it could be somebody mishandling files, it could be leaving the door to the network operations center open so someone can walk in," he said.

Despite the rise in breaches, 27% of companies didn't have a data breach response plan or team in place, though that's down from 39% who didn't have them in the previous year's survey.

Even in companies that have breach plans in place, employees aren't convinced they will work. Only 30% of those responding to the survey said their organization was "effective or very effective" at creating such plans.

One reason might be that few companies seem to take the need seriously. Of the companies surveyed, just 3% looked at their plan of action each quarter. Thirty-seven percent hadn't reviewed or updated their plan since it was first put in place.

The statistics don't surprise Ted Julian, chief marketing officer with Co3 Systems in Cambridge, Mass. His company does cyber-incident response management.

"Most organizations, and I'm only talking the sophisticated ones, have done a little, but it's not enough," he said.

Breaches are now just a part of life, and yet when they happen too often companies pull out "a dusty incident-response plan that hasn't been touched in two years," Julian said.

The survey was conducted in 2014 and included 567 U.S. executives, most of whom reported to their company's information security officers.