Considering the high media profile given to cyber leaks from and hacks to data held by large household names over the last five or so years, it’s incredibly disappointing to see a new study that reveals nearly three out of four (71%) UK organisations would rate their cyber resilience as low. Incredibly, more than half (56%) of respondents reported that their organisations’ leaders did not recognise that cyber resilience could affect their enterprise risk and brand image. Which is especially worrying, as businesses are going to have to prepare themselves for the forthcoming Global Data Protection Regulation (GDPR) legislation due by 2018 which has the potential for large fines to be aimed at organisations that fail to protect their data.
The Cyber Resilient Organisation in the United Kingdom: Learning to Thrive against Threats, survey from the Ponemon Institute, has benchmarked UK organisations’ resilience to cyber threats and has found it severely wanting when it comes to security, with less than a third (29%) rating their cyber resilience as high, and only 36% confident in their ability to recover from a cyberattack.
When asked why their cyber resilience was so woefully inadequate organisations citing insufficient planning and preparedness, inadequate capability to respond to incidents, a lack of clear ownership and shortage of skills.
The majority of those polled (65%) believe that funding and staffing are insufficient to achieve a high level of cyber resilience with respondents indicating their organisations are allocating 23% of the IT security budget to achieving cyber resilience, which averages about £2.1 million for the organisations represented in this research.
One of the main problems that businesses faced was a lack of co-ordination within the organisation over responsibility for cyber security. Only 19% of respondents said their chief information officer (CIO) was accountable for making their organisation resilient to cyber threats, followed by 17% who say business unit leader, and 14% who say no one has overall responsibility.
“Despite the growing importance of cyber resilience, the research shows serious issues that need to be addressed if UK organisations are to survive the next wave of cyber-attacks,” said Larry Ponemon. “Until cyber resilience becomes a coordinated, organisation-wide effort and the necessary technology and processes are put in place, organisations will remain vulnerable.”
While an incident response plan is placed as the most important governance practice, according to 76% of respondents, less than half (43%) were unprepared to respond to a cyber security incident, without a cyber security incident response platform (CSIRP) in place
Insufficient planning and preparedness ranked as the greatest barrier to cyber resilience at 61%, ahead of insufficient awareness, analysis and assessment (55%) and complexity of business processes (51%). Additionally, 39% have only an “ad hoc” CSIRP in place, or one that is not applied across the enterprise.
Survey sponsor Resilient Systems, CEO and co-founder John Bruce recommends organisations need to react quickly and decisively to ensure attacks are managed before they turn into serious business crises.explaining. “By preparing and provisioning for these situations, and aligning the people, processes, and technology for response, organisations can improve their security posture and actually thrive in the face of cyber security incidents.”
Download a copy of 'The Cyber Resilient Organisation in the United Kingdom: Learning to Thrive against Threats' report here.