Benjamin Franklin said that “if you fail to plan, you are planning to fail.” Few places can this been seen more keenly than in cybersecurity.
Despite the aforementioned quote, many organizations are failing to prepare to respond to security incidents. According to findings in a report from Trustwave set to be officially announced tomorrow, 21 percent of the IT and security professionals they surveyed said their businesses do not have incident response procedures in place. In addition, some 19 percent said they had not implemented and tested a disaster recovery plan.
“Many companies do have plans but they are out-of-date and/or not relevant,” said Phil Smith, senior vice president of government solutions and special investigations at Trustwave. “Many were put together to satisfy an audit or security program but have not been maintained, implemented or tested. Most of the cases where we are involved in responding to an actual data breach, we either don’t find an incident response readiness plan in place or one that is outdated and/or never tested.”
Up-to-date business continuity plans were about as common as incident response plans, as nearly a quarter of the 476 respondents said they did not have plans that were current. Twenty-percent said their organization did not have a process that enabled the reporting of security incidents.
“Where there is no plan in place we often see a delay in an organization’s ability to respond to an incident because they are spending critical time trying to get themselves organized and identifying the correct people who have access to the infected systems and decision makers who can provide direction,” Smith said.
Earlier this year, a survey of 340 C-level execs, auditors, IT directors and managers by consulting firm Protiviti had similar findings as the Trustwave report, with more than a third of the respondents stating their organization lacks a formal and documented crisis response plan to execute in the event of a breach or attack.
At the executive level, the research uncovered mixed levels of involvement in cybersecurity. Forty percent said they have board-level management fully taking an active role in security matters, while 12 percent said they weren’t involved at all.
“For board members to properly understand security and risk, and to enable them to make the right choices, you must provide them with easy-to-understand and accurate information,” according to the Trustwave report.
The numbers were slightly higher when it came to senior-level management, with 52 percent describing them as fully active. Just five percent said they were not active at all.
“Companies where security starts at the top with the board and executives are typically in a much better security posture,” Smith said. “While that doesn’t necessarily mean they won’t experience a security incident, they will be in a much better position to respond and contain an incident. Executives that have a better understanding of security and an incident response process will allow their teams to focus on the event and not distract them by requiring information during the initial critical phases. If it’s practiced then the executives know when they can expect information and a plan.”
The full report is available online in PDF format.
