IBM and Ponemon Institute’s fifth annual Cyber Resilient Organization Report surveyed more than 3,400 IT and security professionals globally and found that companies’ ability to contain cyber attacks has declined by 13% over the past several years, due to deficiencies in planning and preparing breach ‘playbooks’, as well as having IT security systems that are too complex. Key findings include:
- 74% of companies report that their breach playbooks are ‘either ad-hoc, applied inconsistently, or that they have no plans at all’, down from 82% in the first survey 5 years ago.
- Of those who have developed breach playbooks, only 45% have plans in place for ransomware attacks.
- 62% of companies without formal response plans experienced a disruptive security incident, vs 39% of companies that have formal response plans experiencing a disruptive event.
- Companies with formal response plans report $1.2m less damage on average from a breach compared to companies without formal response plans.
- The number of security tools an organization uses is negatively correlated with their effectiveness. Companies with more than 50 security tools report a lower ability to detect (8% less efficient) and respond to (7% less efficient) attacks than those with less than 50 security tools.
Cyberhedge research corroborates several of the key findings in this study. First, how technology is managed is more important than what security technology a company has in place, and companies with better cyber governance policies and procedures are better prepared to defend against and manage cyber attacks and limit the amount of damage inflicted should one occur.
Companies that are operating without a playbook are at a significant disadvantage to those who have properly prepared for such attacks and engaged in scenario planning and table-top simulations. Poorly managed companies generally tend to also be weak at cyber governance. The issue of whether or not a company has taken basic steps such as having a cybersecurity incidence response plan and appropriate cyber policies and processes in place more broadly is an indicator of how seriously they understand and approach the risks to the business. This is why management systems and not technology serve as a decisive factor in determining good or bad cyber governance, including the likelihood of a breach. It is also more difficult to address than simply purchasing another ‘next gen’ firewall or endpoint security solution.