lolloj - Fotolia

Most UK firms lack cyber resilience, Ponemon study shows

Despite understanding the severity of cyber threats, most UK companies are not resilient to attacks and lack confidence in their ability to recover

Most UK firms lack cyber resilience, according to a Ponemon Institute survey of 450 security and IT professionals at medium to large companies across several verticals.

The study shows that insufficient planning and lack of clear ownership are the major inhibitors to achieving cyber resilience, putting UK businesses as risk.   

Most of the firms polled lack preparedness to handle cyber attacks, with 71% of respondents rating their organisation’s cyber resilience as low.

“The UK findings reveal the understanding respondents have about the severity and multitude of cyber threats facing their organisations, and a key takeaway is how low respondents rate their organisations’ resilience to cyber threats,” said Larry Ponemon, chairman and founder of the Ponemon Institute.

“Only 29% of organisations rate their cyber resilience as high, and only 36% are confident in their ability to recover from a cyber attack,” he added.

Ponemon said the survey is timely given the current European cyber security climate and the coming Network and Information Security (NIS) Directive and General Data Protection Regulation (GDPR).

Political agreement on the draft texts was reached in December, which could see both pieces of legislation adopted this spring, which means they will come into force in early 2018.

Together, the NIS Directive and the GDPR will force companies operating in the EU to become more cyber resilient and develop robust incident response plans.

Insufficient planning and preparedness

According to the Ponemon study, insufficient planning and preparedness is the major barrier to achieving a high level of cyber resilience.

Despite 76% of respondents recognising an incident response plan as the most important governance practice, 43% said their organisastions were unprepared to respond to a cyber security incident and do not have a cyber security incident response platform in place.

Although 39% said they had an “ad hoc” incident response platform, or one that is not applied across the enterprise, that is tantamount to not having one at all, said Paul Ayers, general manager of incident response firm Resilient Systems, which commissioned the study.

The study said a high level of cyber security is hard to achieve if no single function clearly owns responsibility.

Read more about incident response

Only 19% of respondents said their chief information officer was accountable for making their organisation resilient to cyber threats, while 17% said a business unit leader was responsible, but 14% said no one has overall responsibility.

Lack of leadership and responsibility is also resulting in poor collaboration within organisations. Only 15% of respondents reported collaboration as excellent, and nearly one-third said collaboration was poor or non-existent.

According to the study, organisational factors hinder efforts to achieve greater cyber resilience, with 56% of respondents reporting that their organisations’ leaders do not recognise that cyber resilience affects enterprise risk and brand image.

Nearly two-thirds of respondents said their funding and staffing were insufficient to achieve a high level of cyber resilience, with organisations allocating an average of only 23% of their IT security budget to achieving cyber resilience.

“A lack of available talent is something we are seeing globally,” said Ayers, “and because there is only so much human capital available, organisations need to adopt a different approach to cyber security.

Shift in focus needed

“There needs to be a shift from focusing only on prevention to a cyber security strategy that also includes threat detection and incident response, supported with the necessary policies, processes and technologies.”

Ayers said cyber security has long been understood to be about prevention, detection and response, but most companies still tend to focus almost exclusively on prevention.

However, he said some companies, such as Resilient’s more than 100 global customers, are investing in the capability to aggregate data from all their security tools and combine it with intelligence feeds to orchestrate and automate their incident response processes.

“This approach reduces the volume of security alerts and ensures that security analysts and other incident responders can focus their attention only on the most important issues,” said Ayers.

A focus on incident response capability is also useful in enabling IT security teams to engage with board members, who typically have a good understanding of crisis management, he added.

Communicating with the board

“Incident response can be the bridge to communicating with the board, and dialogue around incident response as part of the company’s broader crisis management processes resonates better with people in the business than talking about encryption algorithms, for example,” said Ayers.

Despite the growing importance of cyber resilience, Larry Ponemon said the research shows serious issues need to be addressed if UK organisations are to survive the next wave of cyber attacks.

“Until cyber resilience becomes a co-ordinated, organisation-wide effort and the necessary technology and processes are put in place, organisations will remain vulnerable,” he said.

John Bruce, chief executive and co-founder of Resilient Systems, said that when security incidents occur, organisations must react quickly and decisively to ensure attacks are managed before they turn into serious business crises.

“By preparing and provisioning for these situations, and aligning the people, processes and technology for response, organisations can improve their security posture and actually thrive in the face of cyber security incidents,” he said.

Read more on Hackers and cybercrime prevention