Barely a day goes by without a new report of an organisation or business becoming the victim of data loss, hacking or the latest cyber threat. So commonplace are these incidents that nowadays only the high profile security breaches get reported in mainstream press.
Systems errors and outages are also a major threat – in 2012, the Royal Bank of Scotland, allocated £125 million to cover the costs of a system outage caused by an error in the bank’s batch processing system.
It is clear that organisations face an unprecedented risk to their business-critical data and corporate networks from an ever-expanding range of threats.
While companies worldwide are relying on their IT systems more than ever before, they have to ensure they stay one step ahead of hackers and the latest malware, as well as mitigate against the danger of system outages and other disruptions.
It is imperative that business leaders are aware of these issues and take measures to mitigate security threats and the potential for downtime. This is a challenge not just for larger enterprises but for medium-sized and smaller organisations as well.
But just how severely do these problems affect organisations across the world and how prepared are companies to protect their networks? Do businesses have incident response plans in place, and if so, what are some of the best practices that CIOs should implement as part of their security response plans?
Attacks on the rise
According to a new report by the Economist Intelligence Unit (EIU) – titled ‘Cyber Incident Response: Are Business Leaders Ready?’ and sponsored by Arbor Networks – over 77% of organisations spoken to say they have suffered an incident in the past two years, such as theft of information and disruption to systems.
As a result, there is a high awareness among business leaders for the need to defend corporate networks against hackers and cyber threats. But understanding the nature of the threats and detecting when an attack has occurred has become increasingly difficult in a world where these threats are constantly evolving.
In the escalating arms race between organisations on one hand and criminals on the other, the rate at which new malware and hacking techniques are developing has rapidly increased.
Businesses have to be flexible and responsive to new sophisticated threats at all times and attempt, however difficult it may prove, to stay one step ahead of those who would bring them down.
On the flip side, although the frequency of security incidents is on the rise, not all are malicious. In the past year, the most common incidents were accidental major systems outages (29%) and the loss of sensitive data by an employee (27%), according to the EIU report.
It is clear that companies should be prepared to respond to a range of potential threats, both external and internal. Given the likelihood of an incident, in whatever shape or form, being prepared to respond is now of the utmost importance. This not only presents a challenge but also an opportunity for organisations.
For the companies that invest resources in being adequately protected, the potential return can be compelling: two-thirds of the firms spoken to say that responding to an incident effectively is actually a chance to enhance the company’s brand reputation.
How prepared are organisations?
Only 17% of executives say they feel fully prepared to deal with a security breach. Incredibly, this drops to a regional low of 12% among business leaders in Asia-Pacific.
This leaves significant room for improvement, especially when 38% of companies still have no security response plan in place should an incident occur.
However, data shows that having a formal IT security plan in place does have a strong influence on business confidence.
In fact, over 90% of respondents whose company currently has an incident response plan or an incident response team in place feel prepared for a security incident. As a result, it’s become increasingly commonplace for companies to plan for potential security incidents.
The key, however, is to regularly test and update the plan once it is in place because even the most robust plan ultimately depends on how it is carried out during an emergency. This includes having the most basic information readily available, such as knowing whom to call when an outage occurs.
There are many cases where a company doesn’t know the phone number for their third-party security or cloud provider – a delay that can cause revenue loss of thousands, if not millions, of dollars per hour.
Having information on key whitelists and information on applications and organisations that must get through when the organisation itself is fending off an attack.
The good news is more than 60% of the organisations that took part in the EIU research have already taken steps to put an incident response team and an incident response plan in place.
Notably, this number is set to rise above 80% in the next few years as an increasing number of companies move towards formalising their incident response preparations.
It is clear that although most business executives do not feel fully prepared to handle a security breach, having an official security response team and plan in place greatly changes this level of confidence.
What many companies likely don’t realise is that raising awareness and increasing education among employees plays an important role in mitigating the worst fallout from any attack.
Indeed, employee notification appears to be as effective as software controls and routine checks. The research shows that in 46% of cases it is an employee who first notifies the organisation of an incident.
To a certain extent, elevated employee awareness can even explain the rising number of incidents reported by companies. Put simply – being better able to recognise an incident means an employee is more likely to report it to the relevant department.