Paul Fleet - Fotolia
Most organisations still lack incident response plans
Most companies lack incident response plans, others fail to test them and nearly half are not GDPR compliant, but some report improved security through automation, a study shows
The majority of organisations are still unprepared to respond properly to cyber security incidents, with 77% of more than 3,600 security and IT professionals polled indicating they do not have a cyber security incident response plan (CSIRP) applied consistently across the enterprise.
In the UK, 75% of respondents said they do not have a consistently enterprise-wide CSIRP, which is only slightly better than the global average, according to the 2019 Cyber resilient organisation study conducted by the Ponemon Institute and sponsored by IBM Resilient.
In the UK, 28% of respondents said they had a CSIRP, but it is not applied consistently; 25% said their CSIRP was “informal” or “ad hoc”, and 23% said they did not have a CSIRP.
The Ponemon Institute noted that while studies show that companies that can respond quickly and efficiently to contain a cyber attack within 30 days save more than $1m on the total cost of a data breach on average, shortfalls in proper cyber security incident response planning have remained consistent over the past four years of the study.
Of the organisations that do have a plan in place, more than half (54%) do not test their plans regularly, leaving them less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.
However, the study showed that UK firms fared slightly better than the global average, with 45% of firms with a CSIRP in place saying they did not test them regularly or at all.
This means that only 25% of UK organisations have enterprise-wide CSIRPs and only 55% of those plans are tested regularly, despite the fact that in the past two years, 56% of UK organisations polled said they had experienced a data breach, 62% said they had suffered a cyber security incident, and 51% said they had seen frequent disruptions to business processes or IT.
Of the UK organisations that experienced a data breach, 50% said they experienced two to three incidents in the past year, and of the organisations that experienced a cyber security incident, 19% had experienced more than five.
Despite the majority of UK organisations (70%) saying the severity of incidents has increased and 61% saying the volume of incidents has increased, 48% believe cyber their resilience has improved. Specifically, 26% said the time to detect, contain and respond to incidents has increased, and 30% said that it has increased “significantly”.
The continued difficulty that cyber security teams are facing in implementing a cyber security incident response plan has also impacted businesses compliance with the EU’s General Data Protection Regulation (GDPR), the study shows.
Nearly half of global respondents (46%) say their organisation has yet to realise full compliance with GDPR, even as the first anniversary of the legislation approaches.
The study also showed that automation in response is still emerging, with only 23% of the global respondents and only 18% of UK respondents saying their organisation significantly uses automation technologies, such as identity management and authentication, incident response platforms and security information and event management (Siem) tools, in their response process.
However, organisations with extensive use of automation rate their ability to prevent (69% vs 53%), detect (76% vs 53%), respond (68% vs 53%) and contain (74% vs 49%) a cyber attack as higher than the overall sample of respondents.
The use of automation is a missed opportunity to strengthen cyber resilience as organisations that fully deploy security automation save $1.55m on the total cost of a data breach, the report said, in contrast with organisations that do not use automation and realise a much higher total cost of a data breach, according to the 2018 Cost of a data breach study.
Read more about resilience
- Cyber resilience lacking due to apathy of UK leaders.
- Government lacks cyber resilience leadership, according to MPs.
- Security needs to shift to resilience, says consultant.
- Only a quarter always incorporate measures in their technology and operating models to make them more resilient to cyber attacks, a survey shows.
- While black swan events are random and unexpected, businesses can still prepare for them, according to a resiliency consultant.
In the UK, the study found that 68% of respondents said leaders recognise that cyber resilience affects revenues, 65% said leaders recognise that automation, machine learning, artificial intelligence and orchestration strengthen cyber resilience, and 52% said leaders recognise that cyber resilience affects brand and reputation.
The cyber security skills gap is further undermining cyber resilience, the report said, because organisations are understaffed and unable to manage resources and needs properly. Survey participants said they lack the headcount to maintain and test their incident response plans properly and are facing 10-20 open seats on cyber security teams.
Only 30% of global respondents reported that staffing for cyber security is sufficient to achieve a high level of cyber resilience, and about three-quarters of global and UK respondents rate their difficulty in hiring and retaining skilled cyber security personnel as moderately high to high.
Adding to the skills gap, nearly half of global respondents (48%) and one-third of UK respondents said their organisation deploys too many separate security tools, ultimately increasing operational complexity and reducing visibility into overall security posture.
Collaboration improves resilience
Organisations are finally acknowledging that collaboration between privacy and cyber security improves cyber resilience, the report said, with 62% indicating that aligning teams is essential to achieving resilience. Most respondents believe the privacy role is becoming increasingly important, especially with the emergence of new regulations such as the GDPR and the California Consumer Privacy Act, and are prioritising data protection when making IT buying decisions.
“Failing to plan is a plan to fail when it comes to responding to a cyber security incident,” said Ted Julian, vice-president, product management and co-founder of IBM Resilient. “These plans need to be stress tested regularly and need full support from the board to invest in the necessary people, processes and technologies to sustain such a programme. When proper planning is paired with investments in automation, we see companies able to save millions of dollars during a breach.”
The report recommended that organisations invest in automation to reduce complexity and streamline their IT infrastructure, noting that too many unnecessary security solutions and technologies can reduce cyber resilience.
The report also recommended deploying a CSIRP extensively throughout the enterprise to increase the likelihood of preventing an attack as well as reducing the time to detect, contain and respond to an attack.