Study Finds Companies Lack Plans, Resources to Thwart Cyber-Attacks

A new study conducted by the Ponemon Institute and sponsored by IBM found that companies have a hard time preventing and responding to cyber-attacks that threaten the integrity of their networks and data. In a majority of cases, companies don’t have the sufficient security budgets and staffing to discover threats and expunge them from their networks. Even as the potential damage caused by cyber-attacks increases, companies are slow to bring in Chief Information Security Officers and other critical security professionals to plan how to find and fix vulnerabilities. IBM’s study concludes that companies that have intrusion discovery and prevention plans in place can often thwart attacks before they happen. But too few companies are doing what it takes to safeguard their data. Read on to learn more of Ponemon Institute’s findings.

IBM found that 77 percent of companies still do not have a formal cyber security incident response plan (CSIRP) in place across all divisions within the organization. That means when a cyber-attack is underway, at least some corporate divisions if not all of them will know what steps to take to contain an attack.

The IBM-Ponemon study found that about 50 percent of organizations have either an “informal” or an “ad hoc” response plan, or even no plan at all. In those cases, companies are left to react to what’s happening without a basic plan to guide their responses.

Survey respondents revealed that they are unprepared to fight cyber-attacks even as the severity of threats and attacks is increases. The study found that 65 percent of companies said that they’ve witnessed increased “severity” in attacks they’ve had to deal with.

IBM-Ponemon study found that 57 percent of companies are taking more time now than they had in the prior year to respond and mitigate the threats they face. This means more severe threats have more time to wreak havoc on their targets.

IBM said it’s time for companies to work on becoming “cyber-resilient,” IBM said. This means they need to have the right staff using the right tools to quickly identify threats and thwart them before they can cause too much damage. According to IBM, 72 percent of companies believe they’re more cyber-resilient in 2018 than they were in 2017, and 61 percent of them say they achieved that by hiring new, “skilled personnel.”

IBM found in its study that artificial intelligence and machine learning are critical technologies for improving a company’s cyber resilience. However, 60 percent of respondents said that the lack of sufficient investment in these technologies is proving to be the biggest bottleneck as their companies attempt to improve their cyber-resilience.

Despite the obvious threats to corporate security, just 31 percent of companies report having the proper budget to handle and address potentially hacks, according to IBM. More than three-quarters of companies—77 percent—say that they’re unable to hire critical IT security personnel to address potential threats.

Chief Information Security Officers (CISOs) can assume the critical role of preparing companies to prevent or mitigate cyber-attacks. But the study found that 23 percent of companies don’t have a CISO or similar security executive. IBM also discovered that 50 percent of CISOs have only been with their companies for three years or less.

The Financial risks of failing to respond quickly to cyber-threats are staggering. According to a separate IBM study on the cost of a data breach, companies that are able to identify and resolve a data breach within 30 days save nearly $1 million compared to those that experience a protracted delay in addressing the problem.

There had been some hope that the European Union’s decision to enact the General Data Protection Regulation that takes effect in May 2018 would prod companies to enact incident response plans. However, IBM found that “most” companies are concerned that they won’t meet the deadline and will therefore not be in compliance with the regulation. That doesn’t bode well for similar efforts in the U.S. to boost data security.