Surprise? Most organizations are not cyber resilient

71 percent of UK organisations would rate their cyber resilience as low today, underlining a lack of preparedness to handle cyberattacks by the majority of UK organisations, according to a new study by the Ponemon Institute.

The report highlights common reasons for this, particularly insufficient planning and preparedness, inadequate capability to respond to incidents, and a lack of clear ownership.

The study, authored by Larry Ponemon, chairman and founder of the Ponemon Institute, surveyed 450 IT and security executives about their organisations’ approaches to becoming more resilient in the face of increasingly problematic and frequent cyberattacks. The respondents comprised a wide range of senior security professionals across several verticals.

“The ability to recover from a cyber related incident is imperative for any business. Reports that 71% of UK organizations are not resilient represents a significant concern because this will directly impact their bottom line, and that of UK plc,” according to Raj Samani, Vice President and CTO, EMEA, Intel Security.

This insight is timely given the current European cybersecurity climate. In January, the European Parliament voted on the next phase of the Network and Information Systems Directive (NISD), which corresponds with many of the recommendations for building cyber resilience outlined in this study. This includes the requirement for organisations to develop robust incident response plans. The regulatory burden around cybersecurity for companies operating inside the European Union will also grow with the upcoming introduction of the Global Data Protection Regulation (GDPR), bringing mandatory data breach reporting to Europe for the first time.

The state of cyber resilience in the UK needs improvement

Only 29 percent of organisations rate their cyber resilience as high, and only 36 percent of organisations are confident in their ability to recover from a cyberattack.

Insufficient planning and preparedness is the major barrier to achieving a high level of cyber resilience

An incident response plan is placed as the most important governance practice, according to 76 percent of respondents. Yet, 43 percent of companies are unprepared to respond to a cyber security incident, without a cyber security incident response platform (CSIRP) in place.

Insufficient planning and preparedness ranked as the greatest barrier to cyber resilience at 61 percent, ahead of insufficient awareness, analysis and assessment (55 percent) and complexity of business processes (51 percent). Additionally, 39 percent have only an “ad hoc” CSIRP in place, or one that is not applied across the enterprise.

“Most incident response plans focus primarily on containing the breach, applying remediation, and then recovering the systems. This approach is no longer applicable to the modern business environment which relies so heavily on ICT and the Internet. We are at a stage now where the impact of a cyber attack on a business can be crippling,” said Brian Honan, CEO at BH Consulting and Special Advisor on Internet Security to Europol’s European Cybercrime Centre.

“We often recommend to our clients that they integrate their Security Incident Response plans with their Business Continuity Response plans so that cyber attacks are included in the business continuity scenarios. If a cyber attack should occur, then the business will already have processes and procedures to invoke their BCP to enable them to continue to operate. In addition we recommend clients follow the maxim that “prevention is better than the cure” so that when they are planning their incident response scenarios they should consider the business impact, not just the technical impact, and look to determine how to avoid single points of failures in the business processes. Finally, we recommend and often host exercises to test the efficiency of the response plans and the resilience of the solutions put into place. Cyber attacks are becoming more common and more aggressive so businesses need to ensure they are prepared to survive such attacks with minimal impact to their business,” Honan concluded.

A high level of cyber security is difficult to achieve if no single function clearly owns responsibility

Only 19 percent of respondents say the chief information officer (CIO) is accountable for making their organisation resilient to cyber threats, followed by 17 percent who say business unit leader, and 14 percent who say no one has overall responsibility.

Due to the lack of leadership and responsibility, collaboration within organisation is also poor. Only 15 percent of respondents reported collaboration as excellent, with nearly one-third (32 percent) saying collaboration is poor or non-existent.

Organisational factors hinder efforts to achieve a high level of cyber resilience

Surprisingly, 56% of respondents reported that their organisations’ leaders do not recognise that cyber resilience effects enterprise risk and brand image.

Sixty-five percent of respondents believe that funding and staffing are insufficient to achieve a high level of cyber resilience.

On average, respondents say their organisations are allocating 23 percent of the IT security budget to achieving cyber resilience, which averages about $3.1 million for the organisations represented in this research.