We’ve all heard news reports about distributed denial of service (DDoS) attacks that hobble IT infrastructure and take an entire business offline, or data breaches that expose vast amounts of sensitive customer information to invisible cyber-criminals. Due to the emergence of the IoT with billions of endpoints, increasing usage of cloud computing, and large-scale data silos, the utilization of digital technology inevitably increases the cyber-risk posture of an organization.
Nevertheless, the 2019 Cost of a Data Breach Study (registration required), conducted annually for IBM by the Ponemon Institute, reveals that most companies aren’t anywhere near ready to do battle with cyber-criminals. Just over three-quarters (77%) of respondents reporting that their enterprise lacks a consistent, company-wide cyber-security incident response plan.
Since numerous studies over the past few years show that companies that react quickly and efficiently to contain a cyber-attack within a month typically save roughly $1 million on the full cost of a data breach, this lack of planning is curious. In spite of the evidence, lackluster levels of solid cyber-security incident response planning have remained stubbornly constant over the past four years of the Ponemon study.
What’s more, over half (54%) of the organizations in the survey that do have a plan do not test them on a regular basis, which makes them vulnerable should an attack strike. The complex coordination of work streams that needs to unfold after security incident require preparation and regular fire drills.
Security automation in its infancy
Of interest in this year’s study is the fact that, for the first time, the study gauged the impact of automation on cyber-resilience. By automation the study is referring to security technologies that support or replace humans to spot and/or contain cyber exploits or breaches. These solutions rely on artificial intelligence (AI), machine learning, analytics and orchestration to do their work.
Only 23% of respondents in the Ponemon study said they were significant users of automated security, while 77% said their companies use it only moderately, insignificantly or not at all. Not surprisingly, the ones that use automation widely rated their ability to detect, prevent and manage a cyber-attack more highly than the ones who use less or no automation.
In last year’s edition of the study, the use of automation was portrayed as a missed opportunity for companies that hope to boost their cyber-resilience. Organizations that went all out on security automation saved an average of $1.5 million on the total cost of a successful cyber-attack. The organizations that ignored automation paid a far greater overall cost.
Skills gap and complexity still impacting cyber-resilience
There’s yet another fact that seems to be affecting companies’ cyber-security: the global shortage of cyber-security talent. Organizations across the board say that a lack of properly trained security staff was hindering their ability to manage security resources and needs effectively. Survey respondents indicated that they don’t have enough trained people to maintain and test their incident response plans (if one even exists) and are also looking at between 10-20 vacancies on their cyber-security teams. Only one third of respondents (30%) felt they had enough trained IT staff to provide a high degree of cyber-resilience. Three quarters (75%) rated the difficulty of recruiting and keeping skilled cyber-security personnel as moderately high to high.
On top of the skills shortage, nearly half of the respondents (48%) reported that their company uses too many tools, which makes running and monitoring everything more complex and reduces their nimbleness in the event of a breach. In contrast, digital-savvy companies are more likely to have pared down and simplified their IT landscape. While more than half of the high-performers (53%) reported their organizations has the proper balance of security solutions in place to ensure resiliency, only 30% of respondents in the overall sample affirmed the same.
C-suite backing is vital
Every high-performing company benefits from strong, experienced and well-informed senior leaders. In terms of cyber-resilience, 66% of the survey respondents say smart leaders recognize that their company’s security efforts positively affect revenues. Just over half (56%) of the respondents say it affects their corporate brand and market reputation.
Further, C-level executives who know that cyber-resilience is critical lead them to understand that automation, machine learning, AI and orchestration can only strengthen that cyber-resilience. Consequently, respondents in high-performing organizations typically have the funding and trained people they need to ensure that the necessary resilience is there.
Not surprisingly, communication about cyber-security with top management happens more frequently in high-performing companies. More than half of respondents (51%), as opposed to 40% in the broader sample, link the effectiveness of their prevention, detection, containment of, and response to cyber-attacks directly to a knowledgeable and supportive C-suite and board. This support in high-performing organizations translates into 50% fewer business and IT disruptions than the average (30% in the high performers vs. 45% overall).
Although the C-suite is taking cyber-threats more seriously, the level of awareness is nowhere near enough. In the world of digital commerce, IT uptime, data integrity and data privacy are non-negotiable business requirements. Because of their lack of management support and insufficient preparation, trailing organizations are at risk of encountering greater disruptions and financial damages.