Businesses unprepared for cyber attacks, warn cyber professionals

Industry-wide discrepancy

The report also reveals an industry-wide discrepancy between how long it takes from when an organisation’s network is compromised to when they become aware of the event.

When ranking their capabilities, cyber pros voted “detection” as their strongest area (40%), with respondents reporting it takes an average of six hours to discover an incident, but other studies have revealed that in reality, the “time to detect” is drastically different.

Time to detection ranges from 24 hours, according to the 2017 SANS Incident Response Survey, to 49 days, according to the 2017 Trustwave Global Security Report, while it can take up to 99 days, according to Mandiant’s M-Trends 2017 Report.

The RedSeal Resilience Report said that despite detection being considered the security teams’ greatest strength, companies are struggling and not fully informed, citing as an example the fact that Sonic did not know it had been hacked until their credit card processor informed them of unusual activity.

Sonic acknowledged the breach, which compromised more than five million credit cards, only 11 days after the first batch of cards were uploaded for sale.

External regulations

Fourth, the poll revealed that in many cases compliance and not strategy is driving security planning, with 97% of respondents reporting that external regulations play a major role in their cyber security and resilience planning and implementation.

The RedSeal poll reveals that 92% of organisations have had to adapt the way that they meet regulatory requirements due to the use of public cloud platforms such as Amazon Web Services (AWS) and Microsoft Azure, while 12% said their organisations had to do a total rethink, and 49% said they had to make significant changes.

Only 27% are completely confident their IT systems can support regulatory requirements, which means 73% of companies might not meet the requirements for using public clouds and may be more exposed to attacks and breaches.

“Having any one of these four areas – resources, preparation, detection and overarching strategy –  in crisis is dangerous. Combined, they’re the harbinger of security disaster for any organisation,” said Ray Rothrock, CEO and chairman of RedSeal.

“This report underscores the urgency for the leaders of cyber strategy to pivot and aggressively pursue resilience, the ability to maintain business as usual while navigating an attack, as the new gold standard. Being prepared is the best defence.”

Cyber risk a business risk

CEOs must recognise cyber risk is also a business risk, and it should be treated as such, said Rothrock. “Yes, they should deploy security software and be prepared to fend off would-be hackers. However, technology alone is no longer sufficient for protecting an organisation’s data and reputation. They must support their tactics – and their business – with an informed strategic approach to cyber security,” he told Computer Weekly.

Businesses will eventually be compromised if any one of these areas is at risk, or not performing at its best, said Rothrock. 

“The fact that respondents pointed to all four as being at risk is a huge red flag. Moreover, nearly everyone (97%) reports that external regulations play a major role in their cyber security and resilience planning and implementation.  

“That means they’re paying attention to the rules. However – given they also report they last created a map of their entire network nine months ago –  there’s no way to know if their most valuable assets are accessible to bad actors,” he said.

Operational resilience

Asked what the most urgent call to action would be, Rothrock said operational resilience – proactively managing through a crisis – is the new gold standard overall.

“On the cyber front, digital resilience – the ability to contain the bad guys when they’re inside your network, and protect high-value assets like customer data and content from exfiltration – will protect your networks and your vital financial assets. 

“So, it’s important to know your network inside out. Know what’s important to your business and your customers, where it is, and make sure it’s secure. Our research showed 79% of senior IT professionals don’t believe they have the correct access to insights in order to prioritise their response to a breach.

“Networks change by the minute, and not only are organisations waiting the best part of a year to map or blueprint their entire network, but they are not updating their response plan in that time either.

“Tony A Gaskins reputedly said: “Success is never an accident; it’s always the result of a plan. They say chance favours the prepared, so get prepared and stay ready.”