In a new study commissioned by Resilient Systems, information security research firm The Ponemon Institute benchmarked UK organisations' resilience to cyber threats.
The study titled “The Cyber Resilient Organisation in the United Kingdom: Learning to Thrive against Threats”, is the second report in a series of cyber-resilience studies. Announced in a press release, the study found that 71 percent of UK organisations would rate their cyber-resilience as low, underlining a lack of preparedness to handle cyber-attacks.
As part of the study, the Ponemon Institute surveyed 450 IT and security executives about their organisations' approaches to becoming more resilient in the face of increasingly problematic and frequent cyber-attacks.
Common reasons for this include particularly insufficient planning and preparedness, inadequate capability to respond to incidents and a lack of clear ownership.
The research is timely, with the European Parliament voting on the next phase of the Network and Information Systems Directive (NISD), which provides legal measures to boost the overall level of cyber-security in the EU by increasing the cyber-security capabilities of the Member States. This includes the requirement for organisations to develop robust incident response plans.
Key takeaways from the UK Ponemon study include:
The state of cyber-resilience in the UK needs improvement
- Only 29 percent of organisations rate their cyber-resilience as high, and only 36 percent of organisations are confident in their ability to recover from a cyber-attack
Insufficient planning and preparedness is the major barrier to achieving a high level of cyber-resilience
- An incident response plan is placed as the most important governance practice, according to 76 percent of respondents. Yet, 43 percent of companies are unprepared to respond to a cyber-security incident, without a cyber-security incident response platform (CSIRP) in place
- Insufficient planning and preparedness ranked as the greatest barrier to cyber-resilience at 61 percent, ahead of insufficient awareness, analysis and assessment (55 percent) and complexity of business processes (51 percent)
- Additionally, 39 percent have only an “ad hoc” CSIRP in place, or one that is not applied across the enterprise
A high level of cyber-security is difficult to achieve if no single function clearly owns responsibility
- Only 19 percent of respondents say the chief information officer (CIO) is accountable for making their organisation resilient to cyber-threats, followed by 17 percent who say it's the business unit leader and 14 percent who say no one has overall responsibility
- Due to the lack of leadership and responsibility, collaboration within organisations is also poor. Only 15 percent of respondents reported collaboration as excellent, with nearly one-third (32 percent) saying collaboration is poor or non-existent
Organisational factors hinder efforts to achieve a high level of cyber-resilience
- Surprisingly, 56 percent of respondents reported that their organisations' leaders do not recognise that cyber-resilience effects enterprise risk and brand image
- Sixty-five percent of respondents believe that funding and staffing are insufficient to achieve a high level of cyber-resilience
- On average, respondents say their organisations are allocating 23 percent of the IT security budget to achieving cyber-resilience, which averages about $3.1 million for the organisations represented in this research
Larry Ponemon, founder of the Ponemon Institute said: “Despite the growing importance of cyber-resilience, the research shows serious issues that need to be addressed if UK organisations are to survive the next wave of cyber-attacks”, he said. “Until cyber-resilience becomes a coordinated, organisation-wide effort and the necessary technology and processes are put in place, organisations will remain vulnerable.”
John Bruce, CEO and co-founder of Resilient Systems said, “When security incidents occur, organisations need to react quickly and decisively to ensure attacks are managed before they turn into serious business crises. That's the foundation of cyber-resilience.”
“By preparing and provisioning for these situations, and aligning the people, processes and technology for response, organisations can improve their security posture and actually thrive in the face of cyber-security incidents.”
A copy of the report can be found here.