Don’t Overlook This Crucial Security Tool!
It can often seem like there is a cyberattack waiting around every corner in today’s volatile threat landscape. Business pages are full of grim news about threats like ransomware, hacking, business email compromise, and other dangerous cyberattacks. Almost 95% of executives said their firms have experienced a business-impacting cyber-attack or compromise within the past 12 months. It seems just a matter of time before every business is in a cybercriminal’s sights. That’s why it’s so shocking that 1 in 3 businesses is flirting with disaster by not having an incident response plan.
Incident Response Planning Neglect is Rampant
No one wants to think about their organization falling victim to a cyberattack, but it is a necessary exercise. A cyberattack is attempted every 39 seconds, and every business is in the line of fire. No business is too small to be at risk. A powerful way to avoid becoming a victim of a cyberattack is to make organizations more cyber resilient, and incident response planning is a crucial component of cyber resilience.
In the fifth annual IBM/Ponemon Cyber Resilient Organization Study, researchers noted that 56% of organizations that scored high for cyber resilience have formal incident response plans tested in a cyber range, compared to 37% of all respondents. The researchers went on to note that 71% of high performers have an incident response plan for a ransomware attack, compared to 51% of all respondents.
Over the past five years of the study, organizations have been steadily adopting formal, enterprise-wide incident response plans, with the percentage of survey respondents who do have plans for how they would handle a cyberattack growing from 18% of respondents in 2015 to 26% in 2020 (a 44% improvement). Unfortunately, three-quarters of the organizations that their researchers surveyed are still reporting that their plans are either ad-hoc, applied inconsistently, or nonexistent. Incident-specific response plans are even rarer. Only one-third of the respondents that had incident response plans had developed specific playbooks for common attack types like ransomware.
Preparation is the Key to Maximum Effectiveness at the Minimum Cost
Failing to think ahead can be devastating when disaster strikes, creating stress and delays that compound problems. Strong, smooth incident response is a key factor in determining if a company survives the blow. 60% of companies shutter within 6 months of experiencing a successful cyberattack. This is not new information, yet in a recent study, 23% of the IT security managers surveyed say their company doesn’t have protocols in place to report a suspected cyber attack and 33% don’t have a formal cybersecurity incident response plan at all.
Cyberattacks are extraordinarily expensive, and we’re not just talking about ransoms. A cyberattack victim isn’t just paying for immediate damage and repair like other damaging disasters. Companies will also be contending with loss of business costs, lost productivity, bad publicity, added payroll hours, new security tools, investigators, regulatory experts, penalties, legal bills, equipment damage, and other expenditures. The bills can pile up fast. Businesses need to have a plan in place to handle this tsunami of expenses while they get back on their feet.
If the worst does happen, having an incident response plan will save the company money. In the recent IBM/Ponemon Cost of a Data Breach Survey, researchers found that making investments in incident response like creating a dedicated team and formal incident response plans reduced data breach costs for their study subjects. Companies with an incident response team that also tested their incident response plan had an average data breach cost of $3.25 million, while those that had neither in place experienced an average cost of $5.71 million (representing a 54.9% difference.)
These 3 Benefits of Having an Incident Response Plan Make it a No-Brainer
An incident response plan doesn’t just protect your business during an incident, it also empowers your business to thrive now, come out of an incident with more cash, and prevent another incident in the future
Just having an incident response plan reduces the company’s overall risk.
A company doesn’t have to use its incident response plan to benefit from it. Just going through the process of making, testing, and maintaining an incident response plan reduces a company’s chance of experiencing a damaging cybersecurity incident substantially. How substantially? IBM researchers announced that only 39% of the organizations that they studied with a formal, tested incident response plan experienced an incident at all, compared to 62% of those who didn’t have a plan.
The business has time to prepare for the bills.
If a business hasn’t planned how it will handle a cyberattack, it may not have the funds it needs to deal with the damage and get back to work. Only a little over half of the total cost of a cyberattack is paid upfront. The rest comes due down the line, with another quarter arriving about a year after the incident, and the rest coming due two or more years later. Preparation gives businesses much-needed time to develop emergency resources – 83% of small businesses haven’t put cash aside for dealing with a cyberattack
Organizations gain insight into vulnerabilities and compliance issues.
The process of creating an incident response plan shines a light into many corners of a company’s IT environment, and that can bring things that have been previously overlooked into focus. Thinking about ways cybercriminals could damage a business can help uncover vulnerabilities – 60% of leading companies cite improved visibility into applications and data assets as a critical improvement for cyber resilience. That review can also give a company a better eye on compliance and data handling practices.
One Mitigation Can Reduce a Company’s Chance of Having an Incident by up to 70%
The best way to avoid an incident response mishap is to avoid having an incident in the first place with security awareness training. This low-cost mitigation has a host of benefits for businesses like increased compliance, greater cyber resilience, and a reduced chance of trouble from phishing and credential compromise. It also reduces a company’s chance of experiencing a data breach by up to 70% with an excellent ROI. A little over 95% of IT professionals who responded to a survey said that their organizations have security awareness and phishing resistance training programs. Those programs can range from high-quality ongoing classes to occasional ad hoc meetings. But a much smaller percentage of those companies are invested in making sure their employees complete their security awareness training. Only 30% of the surveyed pros could say that 80% or more of their company’s employees had completed any formal security awareness training courses.
In a report from consulting giant Accenture detailing the characteristics of a cyber-resilient organization, researchers placed the ideal number of training courses for employees each year at 11, or just a little under one per month. This prevents courses from becoming rote but still keeps the topic fresh in employees’ minds. Digging deeper, a UK study on phishing simulations discovered that 40 – 60% of the employees surveyed were likely to open malicious links or attachments at the start of the study. But consistent cybersecurity awareness training made a huge difference in those employees’ behavior. In follow-up testing, after about 6 months of training, the percentage of employees who took the bait in every industry dropped 20% to 25%. Further training produced a steeper drop. After 3 to 6 months more training, the percentage of employees who opened phishing messages dropped to only 10% to 18%.
Security Awareness Training Customized to Fit Any Business
Every business will benefit from making a new commitment to safe cybersecurity practices in 2022. ET&T can help every organization keep that resolution with powerful solutions in our risk protection platform. Teach employees to spot and stop security threats and avoid mistakes that could lead to damaging security incidents.
