Five Recommendations to Prepare
Cyber-attack planning is still depressingly poor, according to a new study of the United Kingdom’s biggest businesses.
While nearly every big company (96%) claims to have a cybersecurity strategy in place, less than half (46%) back that up with a dedicated budget. And only one in eight (16%) say they have a comprehensive understanding of the impact of loss or disruption that comes with cyber threats.
Similarly, while the vast majority (95%) of the FTSE 350 survey respondents said they had a cybersecurity incident response plan (IRP), only 57% actually test them on a regular basis.
The problem extends to the very top: Just one in five boards have undertaken a crisis simulation on cyber risk in the last 12 months, according to the government’s FTSE 350 Cyber Governance Health Check report, which monitors how large companies are approaching tech security.
Breaches are inevitable in today’s threat landscape. An IRP should take into account a wide variety of risks that today’s organizations face, including:
- Sport-hackers who make it a personal challenge to exploit vulnerabilities
- Advanced persistent threats (APTs) from nation-states and other groups with deep resources
- Equipment failures that cause strong security measures to stop working correctly during unusual conditions (e.g., power failures or hardware failures)
- Insider threats: Stolen credentials, disgruntled or activist employees, imposters working for someone else, bitter personnel on their way out, or “activist” employees
- Criminal elements motivated by greed to steal data or funds
- Accidental compromises due to human error
Because breaches or disruption from sources such as these are inevitable, CISOs should take these five basic steps:
- Create an IRP for scenarios that include the risk factors above and test it regularly. Doing so will improve an organization’s security posture. Practicing these real-world scenarios is important, as almost half of the organizations in the study have an IRP but do not practice it.
- Use intent-based segmentation. Like traditional segmentation, it limits the ability of an attacker to move in an east-west direction on the network. But unlike traditional segmentation, it is dynamic and adjusts automatically based on a continuous assessment of trust. It identifies, tracks, and isolates users, devices, and applications based on business intent and security requirements. Learn more.
- Regenerate, from a known state, a “gold copy” of the security system that is stored securely offline. From there, CISOs can get other operating systems and applications up and running.
- Measure and adapt to changes in resiliency risk. Devise a resiliency score that measures the quality of the organizational resiliency posture in real-time: how many actions are ready to limit a breach, such as segmentation, quarantine, blocking an application’s access, spinning up new capacity in the cloud, etc.? The score can be similar in principle to the approach used to score availability (as three, four, or five 9s, or “99.99% uptime”).
- Auto-regenerate from a known, pure platform. That has the potential to turn weeks of downtime into minutes.
A new survey of C-suite executives shows notable gaps in their organizations’ abilities to meet cybersecurity demands for the future. Results indicate that many enterprises are hampered from widely prioritizing cyber risk due to lack of management alignment on priorities and lack of adequate funding. De
Cyberattack planning is still depressingly poor, even in big businesses
The top management at some of the UK’s biggest companies still don’t fully understand the potential risks of a cyberattack on their business, says a government report.
SECURITY
While nearly every big company (96%) claims to have a cybersecurity strategy in place, less than half (46%) back that up with a dedicated budget. And only one in eight (16%) say they have a comprehensive understanding of the impact of loss or disruption that comes with cyber threats.
Similarly, while the vast majority (95%) of the FTSE 350 survey respondents said they had a cybersecurity incident response plan, only 57 percent actually test them on a regular basis.
And just one in five boards have undertaken a crisis simulation on cyber risk in the last 12 months, according to the government’s FTSE 350 Cyber Governance Health Check report, which monitors how large companies are approaching tech security.
Still, it seems that awareness of the threat of cyberattacks is at least increasing, even if big companies aren’t exactly sure what to do about it: almost three quarters (72%) of respondents acknowledge the risk of cyber threats is high — significantly up, just over half (54%) last time around.
The arrival of the General Data Protection Regulation (GDPR) also seems to have had an impact: three-quarters of respondents said that board discussion and management of cybersecurity had increased since GDPR.
The report also warns that while the supply chain is increasingly becoming a target for cyberattacks, recognition of cyber risks in the supply chain appears to be a significant gap. While nearly three-quarters (73%) of boards recognize the cyber risks arising from businesses in the supply chain is relatively high, less than a quarter (23%) recognize the cyber risks associated with firms that are not directly contracted by the business (a fourth party and beyond), leaving them particularly vulnerable to such threats.
Cybersecurity is a business issue, not an IT issue, said Kevin Williams of the KPMG UK cybersecurity practice: “Some of the more successful companies ensure regular reporting on cyber risks directly to the board, creating a clear line of sight between the business and the risk. They also ensure regular testing of their capabilities to respond to information security incidents.”
It’s worth pointing out that this survey covers the biggest and richest companies in the UK. If, despite plenty of evidence of cyber espionage and the increasing risk of attacks on industrial systems too, these big firms can’t get a handle on security, what hope is there for smaller organizations with less money?