A Ponemon Institute survey of cyber resilience in German organizations reports that 79 percent of security executives state that their organization isn’t prepared for a cyber security incident. Furthermore, only 21 percent have the technology in place to respond to a cyberattack. This new independent study, The Cyber Resilient Organisation in Germany: Learning to Thrive against Threats benchmarks German organizations’ resilience to cyber threats.
Surprisingly, the German study also revealed that 54 percent rated their cyber resilience as high, suggesting a gap between perceived resilience and reality.
Germany is undergoing significant changes to its regulations around cybersecurity. The Upper House of the German Parliament ratified legislation on the cyber protection of critical infrastructure in July 2015 and German lawmakers have been driving the upcoming EU-wide Network and Information Systems Directive (NISD) and the General Data Protection Regulation (GDPR), which contain mandatory breach reporting requirements and require companies to clearly document their incident response strategies.
Key findings from the study include:
- 79 percent reported that they have either ad-hoc or no cyber-incident response plans.
- Twenty-one percent of companies reported they are unprepared to respond to a cyber security incident, lacking a cyber security incident response plan (CSIRP).
- An additional 58 percent have only an ad hoc CSIRP in place, or one that is not applied across the enterprise.
- Only 21 percent have a well-defined CSIRP applied across the entire organization.
- The research also shows that planning and preparedness is key to cyber resilience. Yet, 69 percent ranked insufficient planning and preparedness as the greatest barrier. This went ahead of complexity of business processes (51 percent), and insufficient awareness, analysis, and assessment (55 percent).
- Fifty-four percent of respondents rated their cyber resilience as high. This shows German organizations to be far more confident in their capabilities than their US and UK counterparts, where high ratings of cyber resilience were at only 25 and 29 percent, respectively in similar surveys.
- The majority of German organizations are also very confident in their ability to detect (56 percent), contain (63 percent), and recover from (51 percent) a cyberattack.
- The IT-related threat with the greatest impact on an organizations’ ability to be cyber resilient is persistent threats. The most likely threat to occur is third-party glitches.
- The study shows that a high level of cyber security is difficult to achieve if no single function clearly owns responsibility. Only 20 percent of respondents say the business unit leader is accountable for making their organization resilient to cyber threats, followed by 13 percent who say it is the chief information officer (CIO). Others commented that no single person has responsibility.
- Forty-six percent of respondents believe that funding for IT security is insufficient to achieve a high level of cyber resilience, and 53 percent believe that staffing for IT security is also insufficient.
445 IT and security executives in Germany were surveyed for the report. This is the third report in a series of cyber resilient studies, with founding sponsor, Resilient Systems.
Download a copy of the The Cyber Resilient Organisation in Germany: Learning to Thrive against Threats report here.