In 1978, Sun Information systems introduced the backup computer center to mitigate the potential business disruption that would follow an IT-related disaster. Today more than ever, cyber attacks have the ability to disrupt businesses as 27% of all attacks are now advanced and targeted.
Cyber resilience is measured by the ability to mitigate or marginalize disruption associated with cyber attack, typically more targeted means greater potential impact - so how ready are businesses today to respond when incidents occur? In the European Union, proposed legislation will require organizations to notify relevant national authorities within 24 hours; yet we know from our MTrends research that it typically takes a median of 205 days to discover a cyber breach and 32 days to respond. From this, it would seem we are a long way from the anticipated regulatory requirements.
We have completed further analysis with PAC to understand just how ready and resilient businesses really are. The key highlights include:
- 85% of businesses believe they are ready to respond to an incident - we know from years of managing backups that typically people and process fail, so it’s alarming to see that only just over half (61%) had a cyber response plan.
- When asked how long it took to discover a breach, times varied from one to six months for 69% of those surveyed, and typically it took between one and six man-months to recover – not even close to the time proposed by the EU. A key question every organization should ask themselves is just what is an acceptable timescale? Regulation is one aspect but from a business resilience perspective, just what is fast enough?
You may be wondering about the disconnect between these PAC research statistics and the M-Trends data. The PAC research looks at any breach. (Of note, 67% identified they had been breached in the last year.) In M-Trends, we identify 97% are breached, but of these, 27% are advanced attacks. I would suggest that in the PAC research there would be many organizations that are breached with advanced threats but that are still unaware of it. Finding advanced threats takes the right blend of technology, intelligence and expertise.
Investments in cyber are becoming more balanced between defensive and responsive measures. What is clear is that the right skills and intelligence are the current deficiencies with 69% today leveraging internal and external staff and 85% seeing either partial or full outsourcing as a long-term solution. Why? This is a specialist skill, requiring the right knowledge and expertise. For many, it is just too expensive to hire the specialists they need in-house.
So what are the takeaways?
- We may seem confident, but just like the first backups we restored that failed, it’s likely that many incident responses will fail in crisis as we don’t have a well-defined and tested IR strategy in place.
- Due to the required skills and expertise, most of us will leverage external resources during our time of need. It’s interesting that 56% either have or were considering cyber insurance for recovery costs or protection against first- or third-party liabilities.
- We need the right measures. The volume of attacks is the most common method of measuring threats; yet we have seen less is more; the more targeted the attack typically the great the impact. Yet business impact ranked fourth when asked about how to measure the cyber landscape with volume based metrics taking the top three spots; with the 'Number of Threats' being number one.
Cyber resilience is becoming a key discussion, but unless we learn from our mistakes it will likely still be the cause for unnecessary business disruption for the foreseeable future.