Most businesses don’t have a cybersecurity incident response plan, says IBM

Published on
12/12/2019 01:56 PM

The vast majority of businesses do not have a formal cybersecurity response plan, according to new research by IBM. 

The tech giant questioned 2,800 senior executives from companies around the world for its third annual study of the “Cyber Resilient Organisation”. The main finding was that 77 per cent of respondents said their companies “do not have a formal cybersecurity incident response plan applied consistently across their organisation”. Half of the 2,800 said their companies had either informal or ad-hoc systems in place, or they were “completely non-existent”.

However, despite the lack of formal processes, 72 percent of organisations said they are more cyber resilient today than they were last year. Also, of the companies which were deemed to be “highly resilient”, 61 percent attribute their confidence to their ability to hire skilled personnel. But recruitment and investment are big issues, with 60 per cent of respondents saying that a lack of investment in artificial intelligence and machine learning – and hiring the people with the right skills to implement them – were the biggest barrier to cyber resilience.

More than 30 per cent said they did not have an adequate cyber resilience budget in place and 77 per cent said they experience “difficulty retaining and hiring IT Security professionals”. Ted Julian, VP of product management and co-founder, IBM Resilient, said: “Organizations may be feeling more cyber resilient today, and the biggest reason why was hiring skilled personnel. “Having the right staff in place is critical but arming them with the most modern tools to augment their work is equally as important.

“A response plan that orchestrates human intelligence with machine intelligence is the only way security teams are going to get ahead of the threat and improve overall Cyber Resilience.” The research was conducted by the Ponemon Institute, and among its other findings were: Staffing for cyber resilience-related activities is inadequate

  • The second-biggest barrier to cyber resilience was having insufficient skilled personnel dedicated to cybersecurity.
  • 29 percent of respondents reported having ideal staffing to achieve cyber resilience.
  • 50 percent say their organization's current CISO or security leader has been in place for three years or less. Twenty-three percent report they do not currently have a CISO or security leader.

Organisations are not ready for GDPR

  • The General Data Protection Regulation takes effect in May 2018 and will mandate that organizations have an incident response plan in place.
  • 77 percent of respondents do not have an incident response plan that is applied consistently across the entire enterprise.
  • Most countries surveyed do not report confidence in their ability to comply with GDPR.

Dr Larry Ponemon, of the Ponemon Institute, said: “A sharp focus in a few crucial areas can make a big difference when it comes to cyber resilience. “Ensuring the security function is equipped with a proper incident response plan, staffing, and budget will lead to a stronger security posture and better overall cyber resilience.”