Over Half of Organizations with Cybersecurity Plans Fail to Test Them

IBM Security announced the results of a global study exploring organizations' preparedness when it comes to withstanding and recovering from a cyberattack. The study found that a vast majority of organizations surveyed are still unprepared to properly respond to cybersecurity incidents, with 77% of respondents indicating they do not have an incident response plan applied consistently across the enterprise.

While studies show that companies who can respond quickly and efficiently to contain a cyberattack within 30 days save over $1 million on the total cost of a data breach on average, shortfalls in proper cybersecurity incident response planning have remained consistent over the past four years of the study. Of the organizations surveyed that do have a plan in place, more than half (54%) do not test their plans regularly, which can leave them less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.

The difficulty cybersecurity teams are facing in implementing a cyber security incident response plan has also impacted businesses' compliance with the GDPR. Nearly half of respondents (46%) say their organization has yet to realize full compliance with GDPR, even as the one-year anniversary of the legislation quickly approaches.

The study also found that less than one-quarter of the respondents said their organization significantly uses automation technologies, incident response platforms and security information and event management (SIEM) tools, in their response process. Only 30% of respondents reported that staffing for cybersecurity is sufficient to achieve a high level of cyber resilience while 62% indicated that aligning privacy and cybersecurity roles is essential or very important to achieving cyber resilience within their organizations.

For the first time, this year's study measured the impact of automation on cyber resilience. In the context of this research, automation refers to enabling security technologies that augment or replace human intervention in the identification and containment of cyber exploits or breaches. These technologies depend upon artificial intelligence, machine learning, analytics and orchestration.

When asked if their organization leveraged automation, only 23% of respondents said they were significant users, whereas 77% reported their organizations only use automation moderately, insignificantly or not at all. Organizations with the extensive use of automation rate their ability to prevent (69% vs. 53%), detect (76% vs. 53%), respond (68% vs. 53%) and contain (74% vs. 49%) a cyberattack as higher than the overall sample of respondents.

The cybersecurity skills gap appears to be further undermining cyber resilience, as organizations reported that a lack of staffing hindered their ability to properly manage resources and needs. Adding to the skills challenge, nearly half of respondents (48%) said their organization deploys too many separate security tools, ultimately increasing operational complexity and reducing visibility into overall security posture.

Organizations are finally acknowledging that collaboration between privacy and cybersecurity teams can improve cyber resilience, with 62% indicating that aligning these teams is essential to achieving resilience. Most respondents believe the privacy role is becoming increasingly important, especially with the emergence of new regulations like GDPR and the California Consumer Privacy Act, and are prioritizing data protection when making IT buying decisions.

When asked what the top factor was in justifying cybersecurity spend, 56% of respondents said information loss or theft. This rings especially true as consumers are demanding businesses do more to actively protect their data. According to a recent survey by IBM, 78% of respondents say a company's ability to keep their data private is extremely important, and only 20% completely trust organizations they interact with to maintain the privacy of their data.