On March 14, 2018, IBM Security announced the results of a new global study on organizational cybersecurity readiness and resiliency entitled “The 2018 Cyber Resilient Organization.” The new survey includes insights from more than 2,800 security and IT professionals, and makes clear that cybersecurity readiness and resilience remain a critical challenge for businesses worldwide:
- 77% of respondents admit they do not have a formal cybersecurity incident response plan applied consistently across their organization;
- 77% of respondents report having difficulty retaining and hiring quality IT security professionals;
- 50% of respondents believe their incident response plan is either informal, ad hoc, or non-existent;
- 60% of respondents consider lack of investment in artificial intelligence and machine learning as the biggest barrier to achieving cyber resilience;
- 31% of respondents believe they have an adequate cybersecurity budget in place;
- 29% of respondents report having ideal staffing to achieve cyber resilience; and
- 23% of respondents say they do not currently have a CISO or security leader.
Despite these results, 72% of respondents report feeling more cyber resilient than they were last year. Is this confidence misplaced?
The new results largely track the results of PricewaterhouseCoopers’ Global State of Information Security Survey (GSISS) 2018, which found that of the more than 9,500 senior executives surveyed in 122 countries:
- 67% have an internet of things (IoT) security strategy in place or are currently implementing one;
- 36% have uniform cybersecurity standards and policies for IoT devices and systems;
- 34% have new data collection, retention and destruction policies; and
- 34% assess device and system interconnectivity and vulnerability across the business ecosystem.
These low results for cyber preparedness and resiliency present a significant risk for business. In its Global Risk Report 2017, the World Economic Forum found that “large-scale cyber-attacks or malware causing large economic damages” or “widspread loss of trust in the internet” remain the primary business risks in North America.
Organizations must be better prepared for cybersecurity incidents, which can result from unintentional events or deliberate attacks by insiders or third parties, such as cyber criminals, competitors, nation-states, and “hacktivists.” A prior IBM Study on the cost of data breaches found, using a sample of 419 companies in 13 countries and regions, that 47% of data breach incidents in 2016 involved a malicious or criminal attack, 25% were due to negligent employees or contractors (i.e., a human factor), and 28% involved system glitches, including IT and business process failures. Organizations that fall victim to successful cyber attacks or experience cyber incidents may incur substantial costs and suffer significant consequences, including remediation costs, increased cybersecurity protection costs, lost revenue, litigation and legal risk, reputational damage, increased insurance premiums, and damage to the organization’s competitiveness and shareholder value.
Making things more complicated, there are number of new regulatory regimes requiring covered enterprises to develop robust cybersecurity policies, safeguards, and incident response plans, including the New York Department of Financial Service Cybersecurity Rules and the US Security and Exchange Commission’s recent guidance on cybersecurity risk and incident disclosures.
If you or your enterprise are looking to assess your current cybersecurity practices, risk profile, or incident response preparedness, including legal compliance, or create new systems, policies, and processes, the Dentons cybersecurity team is prepared to help.
Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. The Dentons Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.