A new survey of IT pros and executives by consulting firm Protiviti shows many organizations are not preparing well for cyber-crisis scenarios.
According to the survey – which fielded responses from more than 340 CIOs, CSOs, IT directors, managers and auditors – more than a third (34 percent) of the respondents said their organizations lack a formal and documented crisis response plan to execute in the event of a data breach or cyber attack. Another 10 percent said they don’t know if they do.
Forty six percent said their organization has updated the response plan within the past year, and 22 percent said it had been updated within the last 24 months. Still, 23 percent said it had either been longer than five years or that it had not been updated at all, and the remaining respondents said it had been within the past five years.
Just 46 percent of those surveyed said they perform “fire drills” to test their ability to execute the organization’s incident response plan. Forty-nine percent said they didn’t, while five percent did not know. Of those that did perform tests, two-thirds performed them either monthly or annually.
“While every organization is unique, general best practice calls for an annual risk assessment and testing every six months,” according to the report. “Organizations also must consider any major implementations or infrastructure changes that have taken place, and update and test their crisis response plans as needed to ensure they are aligned with the changes.”
Most of the organizations that had a plan also had high board engagement in information security.
“Among those organizations that have a crisis response plan, there continues to be growth in the role of the CIO and other key roles that should be involved in executing this plan,” according to the report. “Having these different critical perspectives is the best approach to ensuring the organization can respond swiftly and effectively to an incident or breach.”
Earlier this year, a report from Ponemon Institute found that half of the 674 IT and security professionals surveyed said incident response represents less than 10 percent of their security budgets. For most (68 percent), the money allotted to incident response has not increased in the past two years.
“Our survey results tell a story of gaps between where companies currently stand and where they should be in relation to fundamental elements of IT security,” said Cal Slemp, managing director with Protiviti, in a statement. “Some progress has been made since our last survey, yet many organizations still fall short of important standard protocols for IT security and privacy. Companies need to take more action in relation to the risks they recognize to better protect their crucial data.”
