Research finds that cyber crisis preparation is failing to adapt to modern threats
- Published: Friday, 14 August 2020 08:01
A ‘stark disconnect’ exists between the inadequacy of crisis exercising and the desire to build an effective cyber crisis response function, according to a new Osterman Research study published in association with Immersive Labs. The report, which surveyed senior security leaders at 402 UK and US-based organizations, found that nearly 40 percent of respondents were not confident that their teams would be able to handle a data breach if one happened that week.
Looking at the evolution of ransomware alone, the number of ransomware detections in business environments rose by 365 percent between Q2 2018 and Q2 2019, and global organizations have seen a 148 percent spike in ransomware attacks amid COVID-19. Meanwhile, more than a third of organizations surveyed say they space their tabletop exercises a year - sometimes two - apart, with most (65 percent) consisting of reviewing PowerPoint slides. In fact, slide-based sessions are nearly 20 times more common than practicing simulations and most (64 percent) ran three or fewer scenarios during their last exercise.
“If you did your ransomware training in January, you’re likely five ransomware techniques behind the curve now,” said James Hadley, CEO of Immersive Labs. “With three quarters of organizations agreeing that business continuity was at the forefront of their minds, it is time to close the gap between attackers and defenders and shake up the outdated status quo. This requires faster, shorter crisis drills run with the people you will be standing shoulder to shoulder with when the worst happens. Crisis exercises must be made more contemporary.”
Additional key points from the research report include:
Over reliance on plans contributes to low incident response (IR) confidence: despite organizations’ low confidence in their IR preparedness, the majority (61 percent) of respondents think having an IR plan is the single most effective way to prepare for a security incident. In fact, twice the number of respondents thought an IR plan was more effective than regular table-top crisis exercising. When they do perform crisis exercises, nearly 40 percent of all senior security leaders surveyed said the last exercise generated no action from the business.
Only a fraction of people who will be involved in a real crisis are present in training: a quarter of organizations surveyed ran crisis exercises without senior cyber security leadership in attendance, and only 20 percent of exercises involved communications team members, although the survey showed impact on brand is more important in security leaders’ minds when running crisis exercises at 47 percent, than share price (24 percent) or liquidity (27 percent). Nearly half of security leaders said their organizations do not have a cross disciplinary cyber crisis group, of those who do, only 17 percent met monthly.
The pandemic exacerbates challenges with the human factor: 20 percent of respondents said they find it impossible to effectively involve people in crisis response remotely from other geographies. Add to that, the human element of the cyber equation is being overlooked by crisis response exercises with only 15 percent saying they are focused on stress testing human cyber readiness.
Technology investments can’t save an organization alone, it’s time to focus on people: nearly 60 percent of respondents think the best way to prepare for a crisis incident is to buy more technology, and more are interested in covering themselves legally (38 percent) than running effective tabletop exercises and fire drills to train their teams (32 percent).
“Dusting off the three-ring binder crisis plan does not cut it today,” added Hadley. “In the first 30 minutes of a crisis, it is highly unlikely you’re thinking of your plan. It’s the real-life, crisis simulation training that prepares organizations to effectively respond to security incidents. Micro-drills, or very focused exercises, designed to address particular risks must make their way into the mix. Much like exercising to stay fit, this needs to happen with regularity in dynamic environments, and involve all the right people, in order to keep current and be effective.”