How resilient are UK organisations to damage from cyber threats? New research from the Ponemon Institute indicates that there is still a surprisingly long way to go.
Most organisations, whatever their size, will have experienced a significant cyber security incident (whether they know it or not). Keeping as many of the bad guys out as possible is important, and always will be.
But because it is almost certain that sometimes the bad guys will get in, having plans to respond to a breach is just as important as putting the defences in place.
The Ponemon Institute has recently released a report into the cyber resilience of UK organisations. It doesn’t make particularly happy reading. In fact half of the organisations surveyed admitted to a serious data breach (defined as losing 1000 or more sensitive records) in the past two years. But only 35%, were confident in their ability to recover from one.
Why is this? Part of the answer lies in a lack of preparation. While four fifths of organisations say they have a response plan, in a third of organisations that plan is “ad hoc”, often not even written down, and in another third the plan only applies to part of the organisation.
At least most organisations (73%) are aware that a lack of planning is an important barrier to cyber resilience. But if that is the case why isn’t more done? It may be that leadership is one of the problems. Fewer than half of organisations feel that leaders recognise that cyber resilience positively affects brand reputation and revenues. And if they don’t recognise the importance of cyber resilience why would they want to invest in it?
And investment is needed. Investment in technology, such as automation tools to make the job of responding to a breach easier. Investing in process, so that lines of command and decision trees are established that can be followed during a crisis. And investing in educating people so that they know what to do, and what to say, when a crisis hits.
The difficulty though is that without active leadership, cyber security and cyber resilience will often languish, thought of as either too difficult or too expensive (or both). And yet if the will is there to spend time on planning, costs can be contained to reasonable levels and damage can be significantly reduced.
Cyber breaches are not just a “cost of doing business”. They can have significant effects on brand (and board member) reputation, on competitive positioning, on revenues, and perhaps most important of all on the wellbeing of individual consumers whose data has been stolen. And that is why this report is a timely wake up call to organisations that are failing to plan for the inevitable.
The second annual study on the cyber resilient organisation: United Kingdom is an independent study conducted by the Ponemon Institute and sponsored by IBM Resilient. Copies of the report (registration required) can be obtained here.