Nearly half (46 percent) of executives in a Deloitte poll say their organizations have experienced a cybersecurity incident over the past year — and that they’re still no closer to being ready for the next event.
The survey, of more than 3,150 professionals taken during a Deloitte Dbriefs webcast on cyber-preparedness, found that a lack of organizational policy awareness when it comes to cybersecurity is hampering efforts to improve incident response benchmarks.
To wit: About a third (30 percent) of CEO and executive-level respondents identified a lack of employee understanding of the organization’s cyber-incident response plan as their biggest challenge when it comes to dealing with an attack.
Another fifth (20 percent) reported a lack of resources, such as funding, tools and skills, as the biggest obstacle.
The result is that more than 1,500 of the surveyed professionals reported feeling only “somewhat confident” in their organization’s ability to respond to and remediate a cyber-incident. It’s not positive news given that Deloitte estimates cybercrime costs to reach $6 trillion annually, amidst no indication of a slowdown in cyber-threats.
“We used to say it’s ‘not if, but when’ an organization will experience a cyber-incident, said Andrew Morrison, principal, Deloitte Risk and Financial Advisory Cyber Risk Services, Deloitte & Touche LLP. “That message has evolved well beyond a single incident to ‘how often’ or ‘how to respond to and withstand persistent attacks.”
Unfortunately, about half (49 percent) of executive and C-level respondents to the poll admitted that their organization does not conduct cyber-wargaming exercises, and more than one-third (34 percent) indicated that they don’t know their individual role within their organization’s cyber-incident response plan.
The findings dovetail with Deloitte’s recently released CEO and Board Risk Management Survey, which identified cybersecurity as the biggest threat to organizations —and yet only 25 percent of the 400 CEOs and board members surveyed said their organizations are actively wargaming or scenario planning for cyber-incidents.
A typical wargame allows participants to hone organizational reflexes and collaborative judgment capabilities required to avert or reduce a cyber incident crisis with real-time injects and threat vectors that mirror those an organization would likely encounter. Deloitte noted that best practices include focusing on learning objectives to understand what an organization needs at its current level of maturity; involving a broad group of participants to identify intersections between different teams and siloes; and identifying a realistic scenario with realistic vulnerabilities.
“Improving internal processes and providing employees with the knowledge, practice and skills needed to succeed can help organizations mitigate risk through preparedness, as well as increase overall business resilience to future attacks,” Morrison said.