Two thirds of organizations aren’t prepared to recover from a cyber attack, according to a new study by the Ponemon Institute on behalf of Resilient (an IBM Company), and only a third of organizations feel they have a high level of cyber resilience.
The Cyber Resilient Organization Study found that 75% of respondents admit they do not have a formal cyber security incident response plan (CSIRP) that is applied consistently across the organization. Of those with a CSIRP in place, 52% have either not reviewed or updated the plan since it was put in place, or have no set plan for doing so. Additionally, 41% say the time to resolve a cyber incident has increased in the past 12 months, compared to only 31% who say it has decreased.
"This year’s cyber resilience study shows that organizations globally are still not prepared to manage and mitigate a cyber attack," said John Bruce, CEO and co-founder of Resilient. “Security leaders can drive significant improvement by making incident response a top priority – focusing on planning, preparation, and intelligence.”
The study also uncovered common barriers to cyber resilience. The majority – 66% – say “insufficient planning and preparedness” is the top barrier to cyber resilience. Respondents also indicate that the complexity of IT and business processes is increasing faster than their ability to prevent, detect, and respond to cyber attacks – leaving businesses vulnerable. This year, 46% of respondents say the “complexity of IT processes” is a significant barrier to achieving a high level of cyber resilience, up from 36% in 2015. 52% say “complexity of business processes” is a significant barrier, up from 47% in 2015.
It is perhaps this lack of preparedness that contributes to cyber attacks and data breaches featuring as the top two concerns for organizations according to the Business Continuity Institute's latest Horizon Scan Report. This report revealed that 85% and 80%, respectively, of respondents to a global survey expressed concern about the prospect of these two threats materialising.
The Cyber Resilience Report, also published by the BCI, revealed that two thirds of organizations experienced a cyber security incident during the previous year and 15% experienced at least 10. This shows that the cyber threat is very real and organizations must take it seriously and prepare themselves to combat against it more effectively.
“While companies are seeing the value of deploying an incident response plan, there is still a lag in having the appropriate people, processes, and technologies in place,” said Dr. Larry Ponemon. “We are encouraged that this is becoming a more important part of an overall IT security strategy.”