IBM Security has announced the results of a global study exploring the factors and challenges of being a cyber resilient organisation. The study was conducted by The Ponemon Institute and sponsored by IBM Resilient and found that 77% of respondents admit they don’t have a formal cyber security incident response plan applied consistently across their organisation. Nearly half of the 2,800 respondents reported that their incident response plan is either informal or ad hoc or otherwise completely non-existent.
Despite this lack of formal planning, 72% of organisations report feeling more cyber resilient today than they were last year. Highly resilient organisations (61%) attribute their confidence to their ability to hire skilled personnel, but organisations need both technology and people to be cyber resilient. In fact, 60% of respondents consider a lack of investment in Artificial Intelligence and machine learning as the biggest barrier to cyber resilience.
This confidence may be misplaced, with the analysis revealing that 57% of respondents said the time to resolve an incident has increased, while 65% reported that the severity of the attacks has escalated. These areas represent some of the key factors impacting overall cyber resiliency. Problems encountered are then further compounded by just 31% of those surveyed having an adequate cyber resilience budget in place and difficulty retaining and hiring IT security professionals (77%).
“Organisations may be feeling more cyber resilient today, with the biggest reason for this being the hiring of skilled personnel,” said Ted Julian, vice-president of product management and co-founder of IBM Resilient. “Having the right staff in place is critical, but arming them with the most modern tools to augment their work is equally as important. A response plan that orchestrates human intelligence with machine intelligence is the only way in which security teams are going to stay ahead of the threat and improve overall cyber resilience.”
Cost of data breaches
The lack of a consistent cyber security incident response plan is a persistent trend each year despite a key finding from IBM’s 2017 Cost of a Data Breach Study. The cost of a data breach was nearly $1 million lower on average when organisations were able to contain the breach in less than 30 days, in turn highlighting the value and importance of having a strong cyber security incident response plan in place.
The Cyber Resilient Organisation 2018 is the third annual benchmark study on cyber resilience (an organisation’s ability to maintain its core purpose and integrity in the face of cyber attacks). The global survey features insight from more than 2,800 security and IT professionals from around the world, including the United States, the UK, France, Germany, Brazil, the Asia Pacific region, the Middle East and Australia.
“A sharp focus in a few crucial areas can make a big difference when it comes to cyber resilience,” explained Dr Larry Ponemon. “Ensuring the security function is equipped with a proper incident response plan, staffing and budget will lead to a stronger security posture and better overall cyber resilience.”
There are other takeaways from the study. Staffing for cyber resilience-related activities is inadequate. The second-biggest barrier to cyber resilience is having insufficient skilled personnel dedicated to cyber security. 29% of respondents reported having ideal staffing to achieve cyber resilience. 50% state that their organisation’s current Chief Information Security Officer (CISO) or security leader has been in place for three years or less. 23% report that they don’t currently have a CISO or security leader in situ.
Generally speaking, organisations don’t appear to be ready for the European Union’s General Data Protection Regulation (GDPR) that takes effect in May 2018 and will mandate that organisations have an incident response plan in place. 77% of respondents don’t have an incident response plan that’s applied consistently across the entire enterprise. Most of those countries surveyed don’t report confidence in their ability to comply with the GDPR.
*The Executive Summary of the study findings can be downloaded here