Trends in UK cyber resilience
Paul Ayers discusses what makes an organisation 'cyber-resilient' - and why that is so important
In today's cyber security landscape, data breaches are a reality that must be managed. Both the frequency with which organisations find themselves under attack, and the complexity and scale of attack types, demand that approaches to cyber security constantly evolve. Prevention and detection continue to remain an important part of an overall strategy, but organisations are increasingly focused on their ability to continue to function as normal in the face of attacks.
'Cyber resilience' has become the aim - defined by the Ponemon Institute as "the capacity of an enterprise to maintain its core purpose and integrity in the face of cyberattacks." A cyber-resilient enterprise is one that can prevent, detect, contain and recover from many different threats against data, applications, and IT infrastructure.
The Ponemon Institute has investigated this growing requirement in depth in its Second Annual Study on the Cyber Resilient Organisation, conducting research into the cyber resilience of organisations in the United Kingdom for the second year running, as well as internationally in the United States, France, Germany, Australia, the United Arab Emirates and Brazil. More than 400 IT and security practitioners were surveyed in the UK - identifying the gaps, opportunities, and challenges that businesses face in trying to achieve cyber resilience, and how these are changing over time.
With the study now in its second year, the trends are really beginning to emerge and become clear.
Planning and preparedness for incidents remains the biggest challenge
For the second year in a row, insufficient planning and preparedness was identified as the most significant obstacle to achieving cyber resilience - both in the UK and worldwide. Most concerning is the fact that its share has increased year on year - ranked highest by 73 per cent of respondents in the UK, a significant rise from 61 per cent in 2016. This is also significantly higher than the global average of 66 per cent, and suggests that organisations have done little to better meet the very present and urgent risks in the last 12 months.
However, the rise in security professionals identifying a lack of planning could also be explained by greater risk awareness. Opposite to preparedness, insufficient risk awareness drastically dropped as a barrier, from 55 per cent to 40 per cent. Taken together, these figures show a trend in the thinking of businesses: the awareness is now there, and organisations are acutely conscious that they now need to put more time into their planning and preparedness in order to meet security threats.
Incident response capabilities remain underdeveloped
The stats show that far fewer organisations are confident in their ability to recover from an attack (33 per cent) than to prevent (40 per cent), detect (49 per cent) or contain (47 per cent) one. The need to improve incident response capabilities to better recover has not been lost on organisations - 80 per cent rate cyber security incident response plans (CSIRP) as very important.
Consequently, there has been an improvement in incident response provisions. The amount of those without a CSIRP has dropped from 43 to 20 per cent. However, there is still a lot of work to be done. 74 per cent of respondents admit they do not have a formal CSIRP applied consistently across the organisation. Of those with a CSIRP, 49 per cent have either not reviewed or updated the plan since it was put in place or have no set method for doing so - again indicating a significant lack of preparedness.
The best versus the rest
Interesting conclusions can also be drawn by comparing the attributes of organisations that consider themselves to be cyber resilient with the average organisation. As may be expected, 'high performers' have fewer data breaches, resolve incidents faster and have fewer disruptions to business processes and IT services. So what are they doing differently?
Firstly, high performers were far more likely to have a CSIRP that is applied consistently across the enterprise - 50 per cent compared to 26 per cent - which again highlights the significant role incident response plays in achieving resilience.
Leadership team buy-in is found to have a positive correlation with an organisation's cyber resilience. High performers report significantly greater recognition of the effect of cyber resilience on brand reputation and revenues, and, consequently, higher funding and staff provision than the average organisation.
Highly cyber resilient organisations are also more likely to engage in best-practice security methods, such as threat intelligence sharing. 68 per cent of high performers said they share data breach information with the government or industry peers, compared to an average of 55 per cent. This puts considerable weight behind the hypothesis that threat sharing initiatives improve security posture and benefit all parties involved.
Moving from recognition to action
Ultimately, the Ponemon Institute report shows that progress is being made: organisations are becoming increasingly aware of the importance of cyber resilience. They are taking positive steps such as the adoption of incident response plans, and there are high performers who are using best practice to become resilient to breaches.
However, cyber resilience is not achieved overnight and the average organisation still has a long way to go. To address the deficit in planning and preparedness, security professionals need to put consistent incident response plans in place throughout the organisation, with runbooks for incidents and simulations and tests to ensure that the company is ready for when a breach happens. By taking the next step from recognition of the problem to acting in creating a solution, organisations can take strides in achieving true cyber resilience.
Paul Ayers is an executive with a proven track record of bringing success to security companies in EMEA. Prior to Resilient Systems, Paul was VP EMEA for Vormetric, and has also held senior positions for PGP Europe, PGP Corporation, and Symantec. Paul is also the Manager of Enterprise Memberships EMEA for the Cloud Security Alliance (CSA), a not-for-profit organisation with a mission to promote the use of best practices for providing security assurance within cloud computing.