1 in 3 businesses have no incident response plan
Despite numerous commentators stating that it's now a case of 'when' rather than 'if' businesses are hit by a cyber attack, a new study reveals a third of companies have no incident response plans.
IT under threat from 'major' cyber attacks
Arbor Networks today announced the results of its survey on incident response, which was carried out by The Economist Intelligence Unit. The firm surveyed 360 senior business leaders, with 73 percent of these being C-level management or board members from various countries across the world. Approximately 31 percent were based in North America with 36 percent and 29 percent coming from Europe and Asia Pacific respectively.
The most alarming statistics from the study were that despite 77 percent of companies confessing to having suffered from some kind of data loss incident in the last two years, over a third (38 percent) of firms still had no incident response plans in place. More worryingly still, just 17 percent of global businesses involved in the study said that they were fully prepared for an ‘online security incident'. However, the study revealed that these companies were typically relying on the IT department and external resources – like IT forensic experts – hinting that there is a possible disconnect with C-level.
James Chambers, senior editor at The Economist Intelligence Unit, said that the study results were positive but warned that incident response needs to take higher priority.
“There is an encouraging trend towards formalising corporate incident response preparations. But with the source and impact of threats becoming harder to predict, executives should make sure that incident response becomes an organisational reflex rather than just a plan pulled down off the shelf,” said Chambers in a prepared statement.
Phil Cracknell, head of security and privacy services at Company 85 and former CISO at TNT Express, Yell Group and Nomura International, told SCMagazineUK.com that the results were indicative of ‘it won't happen to me' attitude.
“It's a belief that it will never happen to them, and because here in the UK you don't see too many execs dragged in front of the press to explain what went wrong; if we did maybe we would see more encouraging figures of readiness,” he told SCMagazineUK via email.
BH Consulting founder and analyst Brian Honan, meanwhile, warned that these problems would continue to arise so long as information security – and incident response – was treated as an IT issue with little effect on business operations.
This problem, he said, is exacerbated by the fact that some boardrooms may not take too kindly to being asked for additional money on top of the spend already issued for protecting the company's computer systems.
“It's quite common for us to come across companies that have no or inadequate incident response plans,” Honan told SCMagazineUK.com in a telephone briefing. “It's a big challenge getting big organisations to invest in incident response – and it's challenging for CISOs. They've got to get the companies to spend on the security to protect the business, and they also need money in case the investments don't work. It can be a hard sell.”
Honan agreed that a disconnect with the C-level, and an ‘it won't happen to us' philosophy can be obstacles in developing adequate incident response plans, and added that there is also an assumption that this is a “techies only” issue. Instead, he says that incident response should also include legal, PR and even HR departments – if an insider is to blame.
Cracknell, like Honan, did have words for encouragement for companies and said that companies need to first go through a data breach to understand how to respond, and formulate their plan.
“Retain experts, have a plan, run a workshop to ask all those awkward questions of the board that you would need in order to make decisions in during a crisis,” he said via email. “Create a series of web holding pages announcing you know an incident occurred, you are sorry for any inconvenience and the matter is being looked into.
“No news and poor communications will make any incident even worse…You can come out of a crisis and gain credibility if you handle it well.”