Most, 71 percent, of UK organisations would rate their cyber resilience as low today. That is according to a study, The Cyber Resilient Organisation in the United Kingdom: Learning to Thrive against Threats, from privacy and information security research firm Ponemon Institute, sponsored by Resilient Systems.
The report, that seeks to benchmark UK organisations’ resilience to cyber threats, points to insufficient planning and preparedness, inadequate capability to respond to incidents, and a lack of clear ownership.
The study, authored by Larry Ponemon, chairman and founder of the US-based Ponemon Institute, surveyed 450 IT and security executives about their organisations’ approaches to becoming more resilient in the face of increasingly problematic and frequent cyber-attacks. The respondents comprised a wide range of senior security professionals across several verticals. The research was first conducted in the United States in late 2015, with upcoming research for Germany to be released later.
The UK Ponemon study:
Only 29 percent of organisations rate their cyber resilience as high, and only 36 percent of organisations are confident in their ability to recover from a cyberattack
An incident response plan is placed as the most important governance practice, according to 76 percent of respondents. Yet, 43 percent of companies are unprepared to respond to a cyber security incident, without a cyber security incident response platform (CSIRP) in place
Insufficient planning and preparedness ranked as the greatest barrier to cyber resilience at 61 percent, ahead of insufficient awareness, analysis and assessment (55 percent) and complexity of business processes (51 percent)
Additionally, 39 percent have only an “ad hoc” CSIRP in place, or one that is not applied across the enterprise
A high level of cyber security is difficult to achieve if no single function clearly owns responsibility
Only 19 percent of respondents say the chief information officer (CIO) is accountable for making their organisation resilient to cyber threats, followed by 17 percent who say business unit leader, and 14 percent who say no one has overall responsibility
Due to the lack of leadership and responsibility, collaboration within organisations is also poor. Only 15 percent of respondents reported collaboration as excellent, with nearly one-third (32 percent) saying collaboration is poor or non-existent
About half, 56 percent of respondents reported that their organisations’ leaders do not recognise that cyber resilience effects enterprise risk and brand image
Sixty-five percent of respondents believe that funding and staffing are insufficient to achieve a high level of cyber resilience; and
On average, respondents say their organisations are allocating 23 percent of the IT security budget to achieving cyber resilience, which averages about $3.1m for the organisations represented in the research.
Larry Ponemon said: “Despite the growing importance of cyber resilience, the research shows serious issues that need to be addressed if UK organisations are to survive the next wave of cyberattacks. Until cyber resilience becomes a coordinated, organisation-wide effort and the necessary technology and processes are put in place, organisations will remain vulnerable.”
John Bruce, CEO and Co-Founder of Resilient Systems, said: “When security incidents occur, organisations need to react quickly and decisively to ensure attacks are managed before they turn into serious business crises. That’s the foundation of cyber resilience. By preparing and provisioning for these situations, and aligning the people, processes, and technology for response, organisations can improve their security posture and actually thrive in the face of cyber security incidents.”
To request a copy of ‘The Cyber Resilient Organisation in the United Kingdom: Learning to Thrive against Threats’ report click here.
