Overwhelming Majority Of Businesses Have No Cyber Incident Response Plan



Dan Gunderman
03/22/2018

Amid ongoing digital transformations, technology is certainly proliferating – cloud computing, Internet of Things (IoT) devices, and more – but is it outpacing cyber security? That just may be the case in the enterprise.

As it turns out, cyber resiliency is lacking in the workplace. Resiliency, of course, is tied to security posture, but also risk management and ample incident response controls. The latter could mean outsourcing incident response to consulting firms, doing internal audits and investigations or bolstering business continuity plans.

A recent global study exploring the challenges of cyber resiliency emerged last week – and shed light on what is, in many cases, a worrisome lack of security controls. The study, conducted by the Ponemon Institute and sponsored by IBM Resilient, found that 77% of 2,800 respondents do not have a formal cyber security incident response plan (CSIRP) applied consistently across their organization. According to a release on the study, nearly half of the respondents said their related plan is informal, ad hoc or non-existent.

“The 2018 Cyber Resilient Organization” examines an enterprise’s ability to withstand cyber-attacks and polled more than 2,800 global security and IT professionals.

Despite the measurable lack of formal CSIRP, the report suggests that 72% of organizations feel more cyber resilient than one year ago. Sixty-one percent of resilient organizations say their success is intertwined with the hiring of effective personnel.

Nevertheless, resiliency is not dependent on the workforce alone. The findings suggest that slow progression to AI and machine learning is holding back cyber progress/resilience (60% of respondents made this remark).

See Related: World Economic Forum Announces Fintech Cyber Security Consortium

In the release, IBM Resilient Co-Founder and VP of Product Management, Ted Julian, said, “Organizations may be feeling more Cyber Resilient today, and the biggest reason why was hiring skilled personnel. Having the right staff in place is critical but arming them with the most modern tools to augment their work is equally as important.”

Julian also said effective CSIRPs “orchestrate human intelligence with machine learning.”

Despite the slight climb in resilience confidence, 57% of respondents said that the time it takes to resolve a cyber incident has increased. Another 65% said attack severity has worsened. So, with the evolving and strengthening threat landscape, one might think the cyber spend can adapt and respond, correct?

As it turns out, just 31% of those surveyed said they have an adequate cyber resilience budget. Add in 77% of respondents citing difficulty in hiring IT security practitioners and you have the ingredients for an ineffective security operation.

As the findings further suggest, resiliency must be a top contender when it comes to cyber-planning and mitigation. The statistics also show that organizations appear to be playing catch-up with the unruly tides of the threat landscape.

Commenting on the findings, Dr. Larry Ponemon said, “A sharp focus in a few crucial areas can make a big difference when it comes to Cyber Resilience. Ensuring the security function is equipped with a proper incident response plan, staffing and budget will lead to a stronger security posture and better overall Cyber Resilience.”

According to the survey, data breaches ran organizations $1 million less when they were able to be contained and resolved in less than 30 days.

See Related: The Boardroom Needs To Take Cyber Seriously

One area the recent study also emphasizes is “compliance”: The upcoming General Data Protection Regulation (GDPR) out of the European Union (EU) asserts that organizations must have an active incident response plan. With 77% of respondents claiming to have disparate CSIRPs, that could spell “noncompliance” with the sweeping measure (accompanied by a steep fine). Viewed from afar, it appears most polled countries do not have confidence in GDPR compliance, according to the release.

What’s more, incident response is even taking up headlines in the federal government. According to the National Law Review, in the House of Representatives, the Homeland Security Committee recently approved the Cyber Incident Response Teams Act, poised to create groups within the Department of Homeland Security (DHS) dedicated to incident response.

According to Inside Cyber Security reporting on March 19, the measure, proposed by Homeland Security Chairman Michael McCaul (R-Texas), was set to clear the House. The proposal creates cyber hunt and incident response teams as part of the National Cyber Security and Communications Integration Center, an entity which monitors cyber-threats to critical infrastructure.

Be Sure To Check Out: Budgets Used To Comply, Not Secure? How Cloud Is Changing Cyber