May Canadian of organizations have cyber security incident response plans that are incomplete or untested, if responses to a new survey are representative.
In a global report issued earlier this month, 74 per cent of Canadian respondents said they do not have a response plan that is applied consistently across their entire enterprise.
Of those that do have a plan, 59 per cent said they do not test them regularly, or don’t test at all.
Ray Boisvert, IBM Canada’s new associate partner of security services, said he was “shocked” by those numbers. Boisvert, who joined IBM four weeks ago after being Ontario’s provincial security advisor for two years. noted that most organizations have to do a fire drill once a year. But not to test a cyber response plan?
“What’s more likely to happen?” he asked. “Probably won’t be a fire; it’s very likely a cyber event.”
He was commenting on the release of the Ponemon Institute’s fourth annual cyber resilience study, which was sponsored by IBM.
The report is based on questions answered by 3,655 IT and IT security practitioners in Canada, the United States, India, Germany, Japan, Brazil, the United Kingdom, France, Australia, the Middle East, and Southeast Asian countries.
The accuracy of the number depends on a number of factors, including the fact that respondents are self-reporting.
Overall, the report’s authors said, since the series started in 2015 the cyber resilience of companies has steadily improved.
Still, it wasn’t only Canadian respondents whose answers were worrying:
–77 per cent of overall respondents (and 74 per cent of Canadians) said they do not have a cyber security incident response plan that is applied consistently across the enterprise;
— Of the organizations surveyed that do have a plan in place, 54 per cent (59 per cent of Canadians) said do not test their plans regularly.
These numbers have been constant throughout the four years of the study, the report said, despite the fact that other studies show that companies who can respond quickly and efficiently to contain a cyber attack within 30 days save over $1 million on the total cost of a data breach on average.
Asked why Canadian firms seem to be slow with incident response plans, Boisvert said there are a number of factors, including a lack of visibility on the network. “They have no idea of the breadth and depth of their network,” he said, due to mergers and acquisitions, new technology rollouts, being overwhelmed by false alerts and having to face increasingly sophisticated attacks.
He emphasized the need for CISOs to create an incident response plan with clear responsibilities. Then employees have to practice using the plan.
Lesson learned only post-breach
Asked when organizations will learn the importance of this last point, Boisvert replied, “sadly, in a lot of cases it’s post-breach when they realize, ‘Now that we’ve experienced this we never want to have it again.'”
Other takeaways from the study include:
· less than one-quarter of all respondents said their organization significantly uses automation technologies, such as identity management and authentication, incident response platforms and security information and event management (SIEM) tools, in their response process;
· only 30 per cent of respondents reported that staffing for cyber security is sufficient to achieve a high level of cyber resilience;
· 62 per cent of respondents indicated that aligning privacy and cybersecurity roles is essential or very important to achieving cyber resilience within their organizations.
Read the full report here. Registration required