Only 29% of UK organizations would rate their cyber-resilience as ‘high’, and 43% of companies are unprepared to respond to a cybersecurity incident without an incident response platform (CSIRP) in place.
According to research by Resilient Systems and the Ponemon Institute of 450 IT and security executives, just over a third (36%) of organizations are confident in their ability to recover from a cyber-attack.
Speaking to Infosecurity, Paul Ayers, EMEA general manager at Resilient Systems says that the level of cyber-resilience was not about being able to prevent an attack, but more about managing and being able to recover back to a normal state.
He says: “43% say that they have nothing in place, and 20-25% have an ad-hoc unprepared plan. So its two-thirds who have insufficient plans."
“If you look at the requirements, it is broad across all verticals and the findings are low. It comes back to awareness and in typical verticals we are seeing a mission focus in terms of strategy.”
Asked what they meant by an ‘ad-hoc’ plan, Ayers says that this was having a plan in place but without any board approval or practice on it. “We have a capability in our product to run simulations,” he said. “Organizations who do plan and prepare are better integrated with the business.”
The research found that 65% of respondents believe that funding and staffing are insufficient to achieve a high level of cyber-resilience, while insufficient planning and preparedness ranked as the greatest barrier to cyber-resilience at 61%.
“Despite the growing importance of cyber-resilience, the research shows serious issues that need to be addressed if UK organizations are to survive the next wave of cyber-attacks,” says Larry Ponemon.
“Until cyber-resilience becomes a coordinated, organization-wide effort and the necessary technology and processes are put in place, organizations will remain vulnerable.”
On average, respondents say their organizations are allocating 23% of the IT security budget to achieving cyber-resilience, which averages about $3.1 million for the organizations represented in this research. Ayers says: “This is why a strategy on people, process and technology works, as some lead with one part when really it is about bringing the three elements together.”