There is a need for a stronger cyber resilience culture across organisations and a focus on the human factors involved in cyber security to counter cyber disruptions, a report has concluded.
“It is essential that business continuity and cyber or information security functions pool their expertise and respond to incidents, as well as build cyber resilience in a coordinated way,” said the Cyber Resilience Report, published by the Business Continuity Institute in collaboration with Sungard Availability Services.
Nearly two-thirds of respondents to a survey of more than 700 IT professionals in 69 countries said they had experienced at least one cyber disruption during the previous 12 months and 15% had experienced at least 10.
Of those who had experienced a cyber disruption, 57% said that phishing or social engineering had been one of the causes, demonstrating the need for users to be better educated about the threat and the role they can play in helping to prevent an incident occurring.
“But the key takeaway here is that 15% of IT professionals said they did not know how many cyber disruptions happened in their organisation in the past 12 months,” Gianluca Riglietti, co-author of the report and BCI research and insight associate said at the official launch of the report in London.
“And when we segmented the data according to functional role, we saw that 15% included business continuity professionals, risk management professionals, emergency planning professionals and information security professionals.
“This begs the question how organisations can build arrangements to ensure there is more awareness and knowledge about cyber incidents if these people do not know about cyber disruptions,” he said.
A third of respondents suffered disruptions totalling more than €50,000, more than one in 10 experienced losses in excess of €250,000, and one in six respondents reported a single incident resulting in losses of more than €50,000.
In small to medium-sized enterprises (SMEs), 18% of respondents reported cumulative losses of more than €50,000. These are significant losses, according to the report, in light of the fact that 40% of SMEs involved in the study reported an annual turnover of less than €1m.
As cyber attacks and data breaches become more commonplace, the report said organisations face greater risks to their brand or reputation.
“With criminals targeting global brands and small businesses alike, it is a matter of when, not if, an organisation will be affected. It is therefore essential to consider the reputational implications of a breach, in addition to possible revenue loss and fines. A business impact analysis may be able to pinpoint these implications, which may help in raising cyber resilience,” the report said.
Mixed response times
While 87% of respondents reported having business continuity arrangements in place to respond to cyber incidents compared with 75% in 2016, indicating that it is now widely accepted as playing a key role in helping to build cyber resilience, 67% of respondents said their organisation takes over one hour to respond to a cyber incident, while 16% stated that it can take more than four hours.
Riglietti said the increase in organisations with business continuity plans in place is most likely due to increased awareness about the cyber threat. “It is also due to the increased awareness of the positive impact that business continuity can have in the context of cyber resilience strategy.”
However, only a third of organisations reported being able to respond to cyber incidents within the so-called “golden” first hour of a cyber incident.
“Around one in six organisations are taking more than four hours to respond, which is probably because they don’t have the people or resources, or they don’t know what to do because they don’t have a plan that has been exercised, which is another key part of a cyber resilience strategy,” he said.
The number of respondents reporting top management commitment to implementing the right solutions to the cyber threat increased from 55% to 60% in the past year, which the report said is likely due to a number of factors such as the intense media coverage of cyber security incidents, and the impending EU General Data Protection Regulation compliance deadline.
Co-operation key to building cyber resilience
David Thorp, executive director at the BCI, said co-operation is key to building cyber and organisational resilience.
“Different disciplines such as business continuity, information security and risk management need to come together, share intelligence and start speaking the same language if they want to build a safer future for their organisations and communities,” he said.
According to Thorp, the survey shows that business continuity and information security can work together to make organisations more cyber resilient.
Most of the professionals polled, he said, revealed that the gap among different management disciplines is already being bridged.
“For instance, the vast majority of the respondents reported having business continuity management programmes and teams as well as information security programmes and teams dedicated to counter cyber incidents, and several respondents stated how business continuity is no longer separated from IT and cyber department,” he said.
There is still plenty of room for improvement, with phishing and social engineering still among the most dangerous threats as they are the most popular way to deliver malware. “This reveals a weakness in the human aspect of cyber resilience, which calls for better education and awareness-raising initiatives,” said Thorp.
Data sovereignty now a key focus
Keith Tilley, executive vice-president and vice-chair at Sungard Availability Services, said Brexit and the GDPR have thrown up even more questions about data laws and compliance, making data sovereignty a key focus for business.
“Companies need to demonstrate a comprehensive understanding of where their data is hosted, where it’s backed up, moved and recovered, as well as who can see it along the way,” he said.
The fact that data laws are constantly subject to change, with region and country specific regulation, said Tilley, is a challenge for large organisations. “Establishing how to meet these regulations, as well as global needs will be vital, as will the ability to handle data access, residency, integrity and security.”
According to the report, legislative and regulatory changes will drive cyber resilience and heavily influence efforts in this regard. As governments and regulatory agencies worldwide tighten data protection rules, the report said organisations face greater scrutiny in their stewardship and use of personal data.
“As the volume of personal data shared with organisations grows significantly over time, privacy is expected to be an emerging frontier of practice. Therefore, the cyber resilience calculus would increasingly have to consider protecting personal data,” the report said.
Supply chains crucial to cyber resilience
Another key finding of the report is that an organisation’s cyber resilience is influenced by the cyber resilience of its supply chain, with 43% of organisations depending on more than 20 suppliers.
“As supply chains continue to be more complex, the BCI Horizon Scan Report concluded that suppliers are forecast to influence, and feature more significantly in an organisation’s cyber resilience. More than ever, it is important for organisations to maintain visibility with their suppliers and influence them in maintaining cyber resilience,” the report said.
Although the report does not detail responses along geographical lines, Riglietti said there is generally a good business continuity awareness across the UK and good integration with cyber resilience strategies, but added that there is always room for improvement.