Cyber-attacks are becoming a run-of-the-mill occurrence: Nearly two-thirds (63%) of C-suite executives say that their companies experience significant cyber-attacks daily or weekly, according to a recent Accenture study of over 900 senior business personnel.
But there is a disconnect between awareness and action. Only 25% of respondents said their organization always incorporates measures into the design of their company’s technology and operating models to make them more resilient.
However, many execs seem to be burying their heads in the sand: 88% believe their cyber-defense strategy is robust, understood and fully functional. Nearly as many (86%) said that they measure their organization’s resilience to determine what improvements are needed. About half (53%) said their company has a continuity plan that they refresh as needed
A more granular look at the situation reveals that only 9% of executives said their company proactively runs inward-directed attacks and intentional failures to test their systems on a continuous basis. Just 49% map and prioritize security, operational and failure scenarios and even fewer (45%) have produced threat models to existing and planned business operations to enable rapid responses to an attack or system failure.
Further, only 38% of executives said their companies had thoroughly documented the relationships between their technology and operational assets to identify resilience risks and dependencies in their organization.
“Given the prevalence of cyber-attacks on today’s companies and government organizations, the only question for most is when a cyber-attack will occur, not if it will occur,” said Brian Walker, managing director at Accenture Technology Strategy.
“While savvy executives know where their weak spots are, and work across the C-suite to prepare accordingly – testing systems, planning for various scenarios and producing response and continuity plans that guide quick actions when a breach occurs – the data clearly shows that companies by and large have more work to do,” he added.
According to the report, successful enterprises recognize that the responsibility for resilience and agility does not just fall to the CIO, CISO or chief risk officer. On average, the research found that companies have two executives in the C-suite who are responsible for continuously monitoring and improving their business resilience. About a fifth (19%) of the represented companies had a “dedicated resilience officer.”
“To enable and protect the company, CEOs should work closely with their CIO, CISO and others across their leadership team as well as their board of directors, to make decisions about investments, and advance their business continuity efforts,” said Walker.
“They cannot prevent an attack or failure, but they can mitigate the damage it can cause by taking steps to make their business more resilient, agile and fault-tolerant.”