Sergey Nivens - Fotolia
Most firms are failing to build business resilience in the face of an increasing onslaught of cyber attacks, a survey by IT services firm Accenture has revealed.
Nearly two-thirds of C-suite executives polled said cyber attacks occur daily or weekly, yet only a quarter said their company always incorporates measures into the design of its technology and operating models to make them more resilient.
Despite this finding, the Business resilience in the face of cyber risk report revealed that 88% of the more than 900 executives surveyed believed their cyber defence strategy was robust, understood and fully functional, while 86% claimed to measure their organisation’s resilience to determine what improvements are needed.
The survey also revealed that only 9% of respondents said their company proactively runs inward-directed attacks and intentional failures to test their systems on a continuous basis. Only 53% said their company has a continuity plan that they refresh as needed.
Just 49% map and prioritise security, operational and failure scenarios, and even fewer (45%) have produced threat models to existing and planned business operations to enable rapid responses to an attack or system failure. Only 38% of the executives said their company had thoroughly documented the relationships between their technology and operational assets to identify resilience risks and dependencies in their organisation.
Cyber attack inevitable
“Given the prevalence of cyber attacks on today’s companies and government organisations, the only question for most is ‘when’ a cyber attack will occur, not ‘if’ it will occur,” said Brian Walker, managing director of Accenture Technology Strategy.
“While savvy executives know where their weak spots are, and work across the C-suite to prepare accordingly, testing systems, planning for various scenarios and producing response and continuity plans that guide quick actions when a breach occurs, the data clearly shows that companies, by and large, have more work to do,” he said.
Read more about business resilience
- While black swan events are random and unexpected, businesses can still prepare for them, according to a resiliency consultant.
- To achieve digital resilience, companies need to undergo fundamental, organisational changes, including integrating cyber security with business processes.
- Companies need to put more emphasis on improving their reactions to cyber attacks rather than continuing to focus on prevention, says Axelos CEO.
- Resilience is both a technical and a business responsibility.
According to the report, successful enterprises recognise that responsibility for resilience and agility does not just fall to the CIO, chief information security officer (CISO) or chief risk officer. On average, the research found that companies have two executives in the C-suite who are responsible for continuously monitoring and improving their business resilience, but only 19% had a dedicated resilience officer.
“To enable and protect the company, CEOs should work closely with their CIO, CISO and others across their leadership team, as well as their board of directors, to make decisions about investments, and advance their business continuity efforts,” said Walker.
“They cannot prevent an attack or failure, but they can mitigate the damage it can cause by taking steps to make their business more resilient, agile and fault-tolerant,” he said.
Business continuity recommendations
The report recommends that companies:
- Create a digital ecosystem that enables them to team with other enterprises, augment their digital capabilities and access innovative technologies that reside outside the enterprise to strengthen their organisation’s security posture and effectiveness;
- Manage digitally to deliver multi-speed business and IT capabilities in real time by simplifying the IT architecture and addressing the business’s evolving digital requirements in a dynamic environment;
- Institutionalise resilience by making it part of the operating model, ingrained from the outset into objectives, strategies, processes, technologies and organisational culture, including fostering open communication with boards on governance practices and enterprise risk management.