The decline of cyber resilience: Organizations unprepared to face attacks

Only 32 percent of IT and security professionals say their organisation has a high level of cyber resilience – down slightly from 35 percent in 2015, according to a global study involving 2,400 security and IT professionals, conducted by the Ponemon Institute.

The 2016 study also found that that 66 percent of respondents say their organisation is not prepared to recover from cyberattacks.

For the second straight year, the study showed that challenges with incident response (IR) are hindering cyber resilience. Seventy-five percent of respondents admit they do not have a formal cyber security incident response plan (CSIRP) that is applied consistently across the organisation. Of those with a CSIRP in place, 52 percent have either not reviewed or updated the plan since it was put in place, or have no set plan for doing so.

Additionally, 41 percent say the time to resolve a cyber incident has increased in the past 12 months, compared to only 31 percent who say it has decreased.

“Security leaders can drive significant improvement by making incident response a top priority – focusing on planning, preparation, and intelligence,” said John Bruce, CEO of Resilient, an IBM Company.

According to respondents, an incident response platform (IRP) is among the most effective security technologies for helping organisations become cyber resilient, along with identity management and authentication, and intrusion detection and prevention systems.

The study also uncovered common barriers to cyber resilience. The majority – 66 percent – say “insufficient planning and preparedness” is the top barrier to cyber resilience. Respondents also indicate that the complexity of IT and businesses processes is increasing faster than their ability to prevent, detect, and respond to cyberattacks – leaving businesses vulnerable.

This year, 46 percent of respondents say the “complexity of IT processes” is a significant barrier to achieving a high level of cyber resilience, up from 36 percent in 2015. Fifty-two percent say “complexity of business processes” is a significant barrier, up from 47 percent in 2015.

“While companies are seeing the value of deploying an incident response plan, there is still a lag in having the appropriate people, processes, and technologies in place,” said Dr. Larry Ponemon. “We are encouraged that this is becoming a more important part of an overall IT security strategy.”

Companies are experiencing frequent and successful cyberattacks

• More than half (53 percent) say they suffered at least one data breach in the past two years
• 74 percent say they faced threats due to human error in the past year
• When examining the past two years, 74 percent say they have been compromised by malware on a frequent basis, and 64 percent have been compromised by phishing on a frequent basis.

Organisations can’t maintain operations effectively or recover quickly post-attack

• 68 percent don’t believe their organisations have the ability to remain resilient in the wake of a cyberattack
• 66 percent aren’t confident in their organisation’s ability to effectively recover from an attack.

A lack of planning and preparation is the biggest barrier

• Only 25 percent have an incident response plan applied consistently across the organisation. Twenty-three percent have no incident response plan at all
• Only 14 percent test their incident response plans more than one time per year
• 66 percent cite a lack of planning as their organisation’s biggest barrier to becoming resilient to cyberattacks.

Ability to respond to a cyberattack has not improved significantly

• 48 percent say their organisation’s cyber resilience has either declined (4 percent) or not improved (44 percent) over the past 12 months
• 41 percent say the time to resolve a cyber incident has increased or increased significantly, while only 31 percent say it has decreased or decreased significantly.