It is hard to believe, but only in Chicago is this possible…we had a great warm up of 50 degree+ weather, and today, it is snowing. Truly, this makes the mind spin in a 360-degree fashion. Anyways, this weekend, at least in terms of the blogs, has been coined as “Why people just don’t understand the ramifications and the implications of a Cyberattack?”
Yesterday, we looked into the various reasons as to why victims keep falling for being a victim of a Cyberattack. In today’s blog, we examine why businesses fail to make sure that their arsenal is optimized for the current threat landscape.
IBM Resilient just released the findings of their latest market research study entitled “The 2019 Cyber Resilient Organization.” In this project, they do not ask respondents about the kinds of hardware or software that they use; but rather, they focus on key aspect:
The Incident Response Plan. Note that this different from a Disaster Recovery Plan, in which an organization lays out the step by step process as to how they will resume baseline business operations after they have been hit.
With an Incident Response Plan, this describes the step by step details as to how the business or corporation will immediately respond to a Cyberattack after it has been detected. Most organizations should have a dedicated staff whose primarily job is that: Responding to a threat vector and containing it before it causes more damage.
Here are some of the key findings of the survey:
*54% of the respondents do have an Incident Response Plan in place, but yet, they either have failed to test it initially; or if they have, they do not practice it at regular intervals.
*46% of the respondents have not come yet into GDPR compliance. Part of this is creating and regularly testing the Incident Response Plan that is in place.
So, what are the main reasons why Corporate America is failing to test their plans, even if it seems like a common sense thing to do? Here are three key reasons cited by this study:
*Automation is still considered to be an emerging tool:
Yes, its true that many parts of an Incident Response Plan are repetitive, and at times, one even thinks as to why a dedicated human resource is needed at all to carry out these particular tasks. Well, the Cybersecurity Industry is starting to realize this, and thus, have become advocates of the use of automated tools, so that the IT staff can be freed up to work on the much more important aspects of fighting off threats.
For purposes of this study, automation can be referred to as “technologies that augment or replace human intervention in the identification and containment of cyber exploits or breaches. These technologies depend upon artificial intelligence, machine learning, analytics and orchestration.” (SOURCE: https://www.securitymagazine.com/articles/90110-more-than-half-of-organizations-with-cybersecurity-incident-response-plans-fail-to-test-them)
In this aspect, here is what the survey found:
*Only 23% of the respondents claim that they regularly make use of automation. But within this group, the stats are even more interesting. For instance:
*69% of them claim that they automation helps them to combat Cyberattacks;
*76% of them make the assertion that they can better detect Cyberthreats;
*68% of them believe that they are better equipped to quickly respond to a breach after they have been hit;
*74% of them claim that they can effectively contain a threat after they have responded to it.
*A startling 77% of the respondents claim that they have automated tools at hand but have not made use of them.
*The lack of a skilled workforce:
Yes, we visit this same issue again. I have written many articles for clients on this topic, and the Cybersecurity gap still remains a large one to be filled and is expected to be so for the long haul. In this category, here is what the survey discovered:
*There are at least 20 positions to be filled for every company that was polled;
*Only 30% of the respondents claim that they have an adequate Cybersecurity staff in order to carry out the daily tasks;
*75% of the respondents stated that even after they have hired an individual, they have a hard time keeping them for the long term;
*Interestingly, 48% of the respondents claim that their organization deploys too many security related technologies.
*Cybersecurity Priorities still need some realignment:
True, the Cybersecurity Threat Landscape is still a very complex one, and it can be difficult for a company to ascertain what their true priorities are. But this survey found something quite interesting: Privacy seems to be a top, growing concern amongst the participants. Here is what they found:
*56% of the respondents’ rate information loss or theft as a top concern;
*78% of them believe that putting in the latest controls to protect corporate data is of the utmost concern;
*Only 20% of the respondents trust third parties with their confidential information and data;
*73% of the organizations polled claim that they have created a specific role known as the “Chief Privacy Officer”.
My thoughts on all of this?
Well, first and foremost, every organization needs to have some sort of Incident Response Plan written in place, even if it is the smallest Mom and Pop store all the way to the largest of the Fortune 100 companies. Really, there is no excuse for not at least having a one-page document that outlines the steps that they will take to respond to a threat.
Now, I am not trying to defend the reasons why these organizations have not practiced their Incident Response Plans, but to a certain degree, I can see why this can be a difficult task to accomplish. Let’s first look at the automation perspective. There are many Small to Medium sized businesses out there that simply cannot afford the dedicated staff that is needed to carry out these mundane tasks. So yes, automation is going to become important.
Although it can be a complex tool at first, automation can be very simple. It is not nearly as complex as it used to be, and in fact, many Cloud Providers are now offering hosted, automated tools at an affordable price. Best of all, many of them offer their technical support as part of their package, so a small business owner is not feeling stranded when deploying them.
Second is the lack of skilled, Cybersecurity workers. Yes, this is a growing problem now that Corporate America is facing. What does it take to hire to get a knowledgeable individual, and keep them for the long term? There are many HR related factors at play here which is out of the scope of this blog. But, one key thing to remember for the IT Manager and the CISO:
Always reward your IT Security employees for the work they do, and especially when they have detected and mitigated a serious Cyberthreat. A little pat on the back or even a gift card goes a long way in keeping an employee happy.
Finally, this goes out to the small business owners (believe me, I feel your pain, as I am one myself that is still sort of struggling at the moment): It is still important to test your Incident Response Plan on a regular basis. Even if you don’t have the dedicated resources at hand, somehow get people involved, even if this includes getting your friends and family to help out in rehearsing it.