Corporate cyber-resilience — bad and getting worse

Larry Ponemon

Resilient, an IBM Company, and Ponemon Institute are pleased to release the findings of the second annual study on the importance of cyber resilience for a strong security posture. In a survey of more than 2,000 IT and IT security professionals from around the world1 , only 32 percent of respondents say their organization has a high level of cyber resilience—down slightly from 35 percent in 2015. The 2016 study also found that 66 percent of respondents believe their organization is not prepared to recover from cyber attacks.

In the context of this research we define cyber resilience as the alignment of prevention, detection and response capabilities to manage, mitigate and move on from cyberattacks. It refers to an enterprise’s capacity to maintain its core purpose and integrity in the face of cyberattacks. A cyber resilient enterprise is one that can prevent, detect, contain and recover from a myriad of serious threats against data, applications and IT infrastructure.

Cyber resilience supports a stronger security posture. In this report, we look at those organizations that believe they have achieved a very high level of cyber resilience and compare them to organizations that believe they have achieved only an average level of cyber resilience. This comparison reveals that high level cyber resilience reduces the occurrence of data breaches, enables organizations to resolve cyber incidents faster and results in fewer disruptions to business processes or IT services. The research also shows that a cybersecurity incident response plan (CSIRP) applied consistently across the entire enterprise with senior management’s support makes a significant difference in the ability to achieve high level cyber resilience.

Despite its importance for cyber resilience, the research demonstrates the continued challenges to implementing a CSIRP. Seventy-five percent of respondents admit they do not have a formal CSIRP applied consistently across the organization. Of those with a CSIRP in place, 52 percent have either not reviewed or updated the plan since it was put in place or have no set plan for doing so. Additionally, 41 percent of respondents say the time to resolve a cyber incident has increased in the past 12 months, compared to only 31 percent of respondents who say it has decreased.

Key components of cyber resilience are not improving. The key components of cyber resilience are the ability to prevent, detect, contain and recover from a cyber attack. As shown in Figure 1, respondents confidence in achieving these components has changed very little since last year’s study.

Last year, 38 percent of respondents rated their ability to prevent a cyber attack as high; this year 40 percent of respondents rated their ability to prevent a cyber attack as high.

Confidence in the ability to quickly detect and contain a cyber attack increased slightly from 47 percent of respondents to 50 percent of respondents and from 52 percent of respondents to 53 percent of respondents, respectively.

Confidence in the ability to recover from a cyber attack declined slightly. Last year, 38 percent of respondents rated their ability as high and this year, only 34 percent of respondents rate their ability as high.

Other key research findings

Investments in training, staffing and managed security services providers improves cyber resilience. In the past 12 months, only 27 percent of respondents say their cyber resilience has significantly improved (9 percent of respondents) or improved (18 percent of respondents). These respondents say if cyber resilience improved it was due to an investment in training of staff (54 percent of respondents) or engaging a managed security services provider (42 percent of respondents).

Business complexity is having a greater impact on cyber resilience. However, insufficient planning and preparedness remain the biggest barriers to cyber resilience. In 2015, 65 percent of respondents said insufficient planning and preparedness was the biggest barrier. This increased to 66 percent in 2016.

Complexity is having a greater impact on cyber resilience. In 2015, 36 percent of respondents said the complexity of IT processes was a barrier to a high level of cyber resilience and this increased significantly to 46 percent of respondents in 2016. More respondents also believe that the complexity of business processes has increased (47 percent of respondents in 2015 and 52 percent of respondents in 2016).

Incident response plans often do not exist or are ad hoc. Seventy-nine percent of respondents rate the importance of a CSIRP with skilled cybersecurity professionals as very important, and more organizations represented in this research have a CSIRP. However, only 25 percent of respondents say they have a CSIRP that is applied consistently across the enterprise (yet this does represent an increase from 18 percent in 2015). Similarly, the percentage of respondents who say their organizations do not have a CSIRP declined from 31 percent to 23 percent of respondents.

Cyber resilience is affected by the length of time it takes to respond to a security incident. Forty-one percent of respondents say the time to resolve a cyber incident has increased significantly (16 percent of respondents) or increased (25 percent of respondents). Only 31 percent of respondents say the time to resolve has decreased (22 percent of respondents) or decreased significantly (9 percent of respondents).

Human error is the top cyber threat affecting cyber resilience. When asked to rate seven IT security threats that may affect cyber resilience, the biggest threat is human error, followed by advanced persistent threats (APTs). Seventy-four percent of respondents say the incidents experienced involved human error. IT system failures and data exfiltration were also significant according to 46 percent of respondents and 45 percent of respondents, respectively. Malware and phishing are the most frequent compromises to an organization’s IT networks or endpoints. Forty-four percent of respondents say disruptions to business processes or IT services as a consequence of cybersecurity breaches occur very frequently (16 percent of respondents) or frequently (28 percent of respondents).

Malware and phishing are the most frequent compromises to an organization’s IT networks or endpoints. Forty-four percent of respondents say disruptions to business processes or IT services as a consequence of cybersecurity breaches occur very frequently (16 percent of respondents) or frequently (28 percent of respondents).

A lack of resources and no perceived benefits are reasons not to share. Why are some companies reluctant to share intelligence? According to the 47 percent of respondents who do not share threat intelligence say it is because there is no perceived benefit (42 percent of respondents), there is a lack of resources (42 percent of respondents) and it costs too much (33 percent of respondents).

Senior management’s perception of the importance of cyber resilience has not changed. A trend that has not improved is the recognition of how cyber resilience affects revenues and brand reputation. In 2015, 52 percent of respondents said their leaders recognize that cyber resilience affects revenues and this declined slightly to 47 percent in 2016. Similarly, in 2015, 43 percent of respondents said cyber resilience affects brand reputation, and this stayed virtually the same in 2016 (45 percent of respondents). Almost half (48 percent of respondents) recognize that enterprise risks affect cyber resilience, a slight increase from 47 percent of respondents in 2015.

Funding increases slightly for cybersecurity budgets. In 2015, the average cybersecurity budget was $10 million. In 2016, this increased to an average of $11.4 million. More funding has been allocated to cyber resilience-related activities. In 2015, 26 percent of the IT security budget was allocated to cyber-resilience activities. This increased to 30 percent in 2016.

Global privacy regulations drive IT security funding. When asked about regulations that drive IT security funding, most respondents believe it is the new EU General Data Protection Regulation (51 percent of respondents) or international laws by country (50 percent of respondents). Only 22 percent of respondents rate their organization’s ability to comply with the EU General Data Protection Regulation as high

To read the rest of this report, visit ResilientSystems.com

Leave a Reply

Your email address will not be published. Required fields are marked *