monsitj - Fotolia

Cyber resiliency of UK firms barely changed in a year, study shows

High performing UK companies with a high level of cyber security maturity are leading in cyber resiliency, but most have to work on operationalising incident response plans, Ponemon report shows

Despite some positive developments, UK firms have not improved their cyber resilience in the past year, according to a Ponemon Institute survey of 413 IT and IT security professionals.

UK firms have improved their ability to prevent and detect attacks – particularly among companies with greater security maturity or that are highly targeted by cyber attacks – but overall, they have lower confidence in containing and recovering from attacks, the survey revealed.

The second annual cyber resiliency study shows 40% of respondents said they were confident in preventing cyber attacks (up from 35% the year before) and 49% said they were confident in detecting attacks (up from 42%).

However, just 47% said they were confident in containing attacks (down from 49%) and 35% said they were confident in recovering from attacks (down from 36%).

As a result, 25% said their organisations had a high level of cyber resilience, which is almost flat compared with the previous year (29%). Only 29% overall said their organisation is prepared to recover from cyber attacks, down from 36% the previous year.

The Ponemon Institute defines “cyber resilience” as the alignment of prevention, detection and response capabilities to manage, mitigate and move on from cyber attacks by ensuring business operations are not interrupted and that the business is able to recover.

Although compliance with the European Union’s General Data Protection Regulation (GDPR) is less than 16 months away, most UK companies are still in a “recognition phase” when it comes to cyber resiliency and incident response plans, according to Paul Ayers, general manager for Europe, the Middle East and Africa at IBM Resilient, which commissioned the study.

“While most UK firms are able to recognise when cyber attacks are underway and recognise the need for an incident response plan, they either do not have a plan in place yet or are struggling to make their plan operational,” he told Computer Weekly.

However, he said the proportion of UK companies that had no incident response plan has decreased from 43% to just 20% in the past year.

Resilience means fewer breaches

Cyber resilience is relevant to the GDPR and similar UK data protection legislation because the Ponemon study shows that high level cyber resilience is linked to fewer data breaches, faster resolution of cyber incidents and fewer business interruptions.

Any organisation subject to a GDPR audit will have to demonstrate that they have consistent, tried and tested security processes in place.

Only 38% of organisations that rated their resilience as “high” said they had suffered a data breach, compared with 54% that rated their resilience as “average”.

While 40% of “average” organisations said time to resolve cyber incidents had increased, only 32% of organisations with a “high” level of resilience reported time increases.

Some 44% of companies with “average” resilience reported “frequent” or “very frequent” interruptions, compared with just 27% of “highly” resilient companies.

The survey revealed the GDPR (71%) is the top driver of IT security funding, followed by national laws (60%) but, despite this fact, only 22% of respondents rate their ability to comply with the GDPR as high.

The research also shows that a cyber security incident response plan (CSIRP) applied consistently across the entire enterprise with senior management’s support makes a significant difference in the ability to achieve high level cyber resilience.

Read more about incident response

  • Professional incident response providers can quickly bring the additional resources and the expertise that companies often need to handle a rapidly unfolding threat.
  • Planning and foresight are essential to any cyber security incident response plan. Follow these steps to make sure you are ready for a data breach.
  • Organisations hit by cyber attacks often lack an effective incident response plan. Why are so many unprepared?

According to the study, 74% of respondents admit they do not have a formal CSIRP applied consistently across the organisation. Of those with a plan in place, 49% have either not reviewed or updated the plan since it was put in place or have no plans to do so.

Additionally, 39% of respondents said the time to resolve an incident has increased in the past year, with just 27% saying it has decreased.

“The dip in confidence in cyber resiliency is possibly due to the operational challenges companies are encountering as they start to formulate and attempt to implement CSIRPs,” said Ayers.

“It typically takes time to shift budgets, recruit the appropriately skilled staff and put the supporting processes and technologies in place,” he said.

The biggest barrier to cyber resilience is insufficient planning and preparedness, according to 73% of respondents, up from 61% the previous year.

“Awareness of the need for greater cyber resiliency is broader than it was the year before and more organisations are working on a CSIRP. But only the high performing companies are succeeding in making those plans actionable, consistent and repeatable across the organisation with regular testing,” said Ayers.

Respondents also cited the complexity of business processes (47%), the complexity of IT processes (46%), and silos and turf issues (44%) as being the top barriers to cyber resilience.

A greater proportion of high performer organisations reported that business leaders recognise that cyber resilience affects brand reputation, that enterprise risks affect cyber resilience, and that cyber resilience affects revenues.

A larger number of high performer organisations also reported sufficient IT security funding to achieve a high level of cyber resilience and sufficient levels of staffing to achieve a high level of cyber resilience.

Investment in MSSPs and training improve security

The study shows an average of just 29% of the cyber security budget is spent on cyber resilience and that investments in training, staffing and managed security services providers (MSSPs) improve cyber resilience.

“UK firms, like firms worldwide, are facing a shortage of cyber skills, and there is a particular shortage when it comes to people with experience in incident response. As a result, more are looking to incident response platforms or MSSPs with this capability to make security professionals they have more efficient.

“With the right tools, junior analysts can reduce the workload to free up senior analysts to work on more complex security issues,” he said.

Another key finding of the report is that having an incident response platform and sharing threat intelligence are considered key initiatives for improving cyber resilience and delivering actionable intelligence to analysts.

A greater proportion of companies rated as “high” cyber resilience performers share information about data breaches with government and industry peers (68% compared with just 55% of “average” performers).

According to Ayers, by bringing threat intelligence and other security information together, incident response platforms contextualise and enrich data, and enable organisations to streamline incident response processes as well as set up automated and semi-automated responses to cyber attacks.

“Incident response platforms enable organisations to improve plans and make them consistent and repeatable, make use of all the security intelligence that is available from internal and external sources, and enable dynamic and automated responses to reduce the time to response,” he said.

“This latest research shows that UK companies have recognised the importance of cyber resilience to protect their business, but there are still challenges to be addressed,” said Larry Ponemon, chairman and founder of the Ponemon Institute.

“What we can see from the high-performing cyber resilient organisations in the UK is that investments in planning, employee skills and strong leadership will reap big dividends,” he said.

Read more about GDPR

Read more on Business continuity planning