Cyber security plans not tested for preparedness — study

MANILA, Philippines — While business firms and institutions are making cyber security response plans, they are not being tested on their true state of preparedness against cyberattack.

This was among the key findings of “The 2019 Cyber Resilient Organization” study conducted by the Ponemon Institute.

The study, which was also sponsored by IBM Resilient exploring preparations cyberattack, found that a vast majority of organizations are still unprepared to properly respond to cybersecurity incidents.

It indicated 77 percent of the respondents do not have a cybersecurity incident response plan applied consistently across the enterprise.

Of the organizations that do have a plan in place, more than half, or 54 percent, do not test their plans regularly, leaving them less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.

“Failing to plan is a plan to fail when it comes to responding to a cybersecurity incident. These plans need to be stress tested regularly and need full support from the board to invest in the necessary people, processes and technologies to sustain such a program,” said Ted Julian, VP of Product Management and co-founder of IBM Resilient.

“When proper planning is paired with investments in automation, we see companies able to save millions of dollars during a breach,” he said.

Malcolm Rowe, business unit executive for ASEAN of IBM Security, in a briefing with Manila-based IT reporters, said the Ponemon study had for the first time also measured the impact of automation on cyber resilience.

When asked if their organization leveraged automation, only 23 percent said they were significant users, whereas 77 percent reported their organizations only use automation moderately, insignificantly or not at all.

Organizations with the extensive use of automation rate their ability to prevent (69 percent vs. 53 percent), detect (76 percent vs. 53 percent), respond (68 percent vs. 53 percent) and contain (74 percent vs. 49 percent) a cyberattack as higher than the overall sample of respondents.

The study also found cybersecurity skills gap is further undermining cyber resilience, as organizations are understaffed and unable to properly manage resources and needs.

Survey participants stated they lack the headcount to properly maintain and test their incident response plans and are facing 10-20 open seats on cybersecurity teams.

In fact, only 30 percent of respondents reported that staffing for cybersecurity is sufficient to achieve a high level of cyber resilience. Furthermore, 75 percent of respondents rate their difficulty in hiring and retaining skilled cybersecurity personnel as moderately high to high.

Adding to skills gap, nearly half of respondents (48 percent) admitted their organization deploys too many separate security tools, ultimately increasing operational complexity and reducing visibility into overall security posture.

The study also found that organizations are finally acknowledging collaboration between privacy and cybersecurity improves cyber resilience, with 62 percent indicating that aligning teams is essential to achieving resilience.

Most respondents believe the privacy role is becoming increasingly important, especially with the emergence of new regulations like GDPR and the California Consumer Privacy Act, and are prioritizing data protection when making IT buying decisions.

When asked what the top factor was in justifying cybersecurity spend, 56 percent of respondents said information loss or theft.

This rings especially true as consumers are demanding businesses do more to actively protect their data.

According to a recent survey by IBM, 78 percent of respondents say a company’s ability to keep their data private is extremely important, and only 20 percent completely trust organizations they interact with to maintain the privacy of their data.

In addition, most respondents also reported having a privacy leader employed, with 73 percent stating they have a Chief Privacy Officer, further proving that data privacy has become a top priority in organizations.

The study is the fourth annual benchmark study on cyber resilience – an organization’s ability to maintain its core purpose and integrity in the face of cyberattacks.

The global survey features insight from more than 3,600 security and IT professionals from around the world, including the United States, Canada, United Kingdom, France, Germany, Brazil, Australia, Middle East and Asia Pacific.