Sergey Nivens - Fotolia

Business resilience lacking in most firms, finds Accenture

Nearly two-thirds of companies are hit by cyber attacks daily or weekly, yet only a quarter always incorporate measures in their technology and operating models to make them more resilient, a survey shows

Most firms are failing to build business resilience in the face of an increasing onslaught of cyber attacks, a survey by IT services firm Accenture has revealed.

Nearly two-thirds of C-suite executives polled said cyber attacks occur daily or weekly, yet only a quarter said their company always incorporates measures into the design of its technology and operating models to make them more resilient.

Despite this finding, the Business resilience in the face of cyber risk report revealed that 88% of the more than 900 executives surveyed believed their cyber defence strategy was robust, understood and fully functional, while 86% claimed to measure their organisation’s resilience to determine what improvements are needed.

The survey also revealed that only 9% of respondents said their company proactively runs inward-directed attacks and intentional failures to test their systems on a continuous basis. Only 53% said their company has a continuity plan that they refresh as needed. 

Just 49% map and prioritise security, operational and failure scenarios, and even fewer (45%) have produced threat models to existing and planned business operations to enable rapid responses to an attack or system failure. Only 38% of the executives said their company had thoroughly documented the relationships between their technology and operational assets to identify resilience risks and dependencies in their organisation.

Cyber attack inevitable

“Given the prevalence of cyber attacks on today’s companies and government organisations, the only question for most is ‘when’ a cyber attack will occur, not ‘if’ it will occur,” said Brian Walker, managing director of Accenture Technology Strategy. 

“While savvy executives know where their weak spots are, and work across the C-suite to prepare accordingly, testing systems, planning for various scenarios and producing response and continuity plans that guide quick actions when a breach occurs, the data clearly shows that companies, by and large, have more work to do,” he said.

Read more about business resilience

According to the report, successful enterprises recognise that responsibility for resilience and agility does not just fall to the CIO, chief information security officer (CISO) or chief risk officer. On average, the research found that companies have two executives in the C-suite who are responsible for continuously monitoring and improving their business resilience, but only 19% had a dedicated resilience officer.

“To enable and protect the company, CEOs should work closely with their CIO, CISO and others across their leadership team, as well as their board of directors, to make decisions about investments, and advance their business continuity efforts,” said Walker. 

“They cannot prevent an attack or failure, but they can mitigate the damage it can cause by taking steps to make their business more resilient, agile and fault-tolerant,” he said.

Business continuity recommendations

The report recommends that companies:

  • Create a digital ecosystem that enables them to team with other enterprises, augment their digital capabilities and access innovative technologies that reside outside the enterprise to strengthen their organisation’s security posture and effectiveness;
  • Manage digitally to deliver multi-speed business and IT capabilities in real time by simplifying the IT architecture and addressing the business’s evolving digital requirements in a dynamic environment; 
  • Institutionalise resilience by making it part of the operating model, ingrained from the outset into objectives, strategies, processes, technologies and organisational culture, including fostering open communication with boards on governance practices and enterprise risk management.

Next Steps

Learn how business resilience differs from business continuity

Read more on Business continuity planning