Two-year study shows decline in cyber resilience
Written by staff reporter
For the second straight year, companies are reporting major challenges with incident response following a cyber incident. Seventy-five per cent of respondents to a study carried out by IBM and the Ponemon Institute admit they do not have a formal cyber security incident response plan that is applied consistently across the organisation. Of those with a plan in place, 52% have either not reviewed or updated the plan since it was put in place, or have no set plan for doing so. Additionally, 41% say the time to resolve a cyber incident has increased in the past 12 months, compared to only 31% who say it has decreased.
The annual 'Cyber Resilient Organisation' study found that only 32% of IT and security professionals say their organisation has a high level of cyber resilience – down slightly from 35% in 2015. The 2016 study also found that that 66% of respondents say their organisation is not prepared to recover from cyber attacks.
"This year’s Cyber Resilience Study shows that organisations globally are still not prepared to manage and mitigate a cyber attack," said John Bruce, CEO of IBM Resilient. “Security leaders can drive significant improvement by making incident response a top priority – focusing on planning, preparation, and intelligence.”
The global survey features insight from more than 2,400 security and IT professionals from around the world, including the United States, United Kingdom, France, Germany, United Arab Emirates, Brazil, and Australia.
It uncovered common barriers to cyber resilience. The majority – 66% – say “insufficient planning and preparedness” is the top barrier to cyber resilience. Respondents also indicate that the complexity of IT and businesses processes is increasing faster than their ability to prevent, detect, and respond to cyber attacks – leaving businesses vulnerable. This year, 46% of respondents say the “complexity of IT processes” is a significant barrier to achieving a high level of cyber resilience, up from 36% in 2015. Fifty-two per cent say “complexity of business processes” is a significant barrier, up from 47% in 2015.
In figures: Cyber resilience (Source: 'Cyber Resilient Organisation' by IBM and Ponemon Institute)
• Companies are experiencing frequent and successful cyber attacks
-More than half (53%) say they suffered at least one data breach in the past two years
-74% say they faced threats due to human error in the past year
-When examining the past two years, 74% say they have been compromised by malware on a frequent basis, and 64% have been compromised by phishing on a frequent basis
• Organisations can’t maintain operations effectively or recover quickly post-attack
-68% don’t believe their organisations have the ability to remain resilient in the wake of a cyber attack
-66% aren’t confident in their organisation’s ability to effectively recover from an attack
• A lack of planning and preparation is the biggest barrier
-Only 25% have an incident response plan applied consistently across the organisation. 23% have no incident response plan at all
-Only 14% test their incident response plans more than one time per year
-66% cite a lack of planning as their organisation’s biggest barrier to becoming resilient to cyber attacks
• Ability to respond to a cyber attack has not improved significantly
-48% say their organisation’s cyber resilience has either declined (4%) or not improved (44%) over the past 12 months
-41% say the time to resolve a cyber incident has increased or increased significantly, while only 31% say it has decreased or decreased significantly