Organizations using simpler, interoperable and integrated solutions fared better in cyber resilience, while CSIRPs without ransomware response were weaknesses.

In the last five years, organizations’ ability to contain an attack has declined by 13%, according to global research conducted by Ponemon Institute across 3,400 security and IT professionals in the US, UK, ASEAN, Australia, Brazil, Canada, France, Germany, India, Japan, France, Canada and the Middle East.

Respondents’ security response efforts were apparently hindered by the use of too many security tools, as well as a lack of specific playbooks for common attack types.

While security response planning is slowly improving, the vast majority of organizations surveyed (74%) are still reporting that their plans are either ad hoc, applied inconsistently, or even non-existent. This lack of planning can impact the cost of security incidents, as companies that have incident response teams and extensively test their incident response plans spend an average of US$1.2 million less on data breaches than those that have both of these cost-saving factors in place.

The Cyber Resilient Organization Report, sponsored by IBM Security included other findings:

  • Improvements in formal security response:  More surveyed organizations had adopted formal, enterprise-wide security response plans over the past 5 years of the study; growing from 18% of respondents in 2015, to 26% in this year’s report (a 44% improvement).
  • Ransomware preparedness lagging: Even amongst those with a formal security response plan, only one third (17% of total respondents) had also developed specific playbooks for common attack types—and plans for emerging attack methods like ransomware lagged even further behind.
  • Complexity hinders response: The amount of security tools that an organization was using had a negative impact across multiple categories of the threat lifecycle amongst those surveyed. Organizations using 50+ security tools ranked themselves 8% lower in their ability to detect, and 7% lower in their ability to respond to an attack, than those respondents with less tools.
  • Better planning, less disruption: Companies with formal security response plans applied across the business were less likely to experience significant disruption as the result of a cyberattack. Over the past two years, only 39% of these companies experienced a disruptive security incident, compared to 62% of those with less formal or consistent plans.

Said Wendi Whitmore, Vice President of IBM X-Force Threat Intelligence about the findings: “While more organizations are taking incident response planning seriously, preparing for cyberattacks isn’t a one and done activity. Organizations must also focus on testing, practicing and reassessing their response plans regularly. Leveraging interoperable technologies and automation can also help overcome complexity challenges and speed the time it takes to contain an incident.”

Reading into the findings

Since different breeds of attack require unique response techniques, having pre-defined playbooks provides organizations with consistent and repeatable action plans for the most common attacks they are likely to face. 

Amongst the minority of responding organizations that have attack-specific playbooks, the most common playbooks were cited for DDoS attacks (64%) and malware (57%). While ransomware attacks have spiked nearly 70% in recent years, only 45% of those in the survey using playbooks had designated plans for ransomware attacks.

Additionally, more than half (52%) of those with security response plans said they have never reviewed or have no set time period for reviewing or testing those plans. With business operations changing rapidly due to an increasingly-remote workforce, and new attack techniques constantly being introduced, this data suggests that surveyed businesses may be relying on outdated response plans which do not reflect the current threat and business landscape.

On the issue of complexity, an over-abundance of disparate security tools may actually hinder the ability to handle attacks well. These findings suggest that adopting more tools did not necessarily improve security response efforts, or may even have compromised security.

Amongst high-performing organizations in the report, 63% said the use of interoperable tools helped them improve their response to cyberattacks.

Better planning pays off

Among organizations with a cybersecurity incidence response plan (CSIRP), only 39% experienced an incident that resulted in a significant disruption to the organization within the past two years compared to 62% of those who did not have a formal plan in place.

Looking at specific reasons that these organizations cited for their ability to respond to attacks, security workforce skills were found to be a top factor. Some 61% of those surveyed attributed hiring skilled employees as a top reason for becoming more resilient. Amongst those that reported that their resiliency did not improve, 41% cited the lack of skilled employees as the top reason.

Technology was another differentiator for better cyber resilience, especially when it comes to tools that helped respondents resolve complexity. The top two tech factors cited were visibility into applications and data (57% selecting) and automation tools (55% selecting).

Overall, the data suggests that surveyed organizations that were more mature in their response preparedness relied more heavily on technology innovations to become more resilient, if the technologies were well-integrated, interoperable and managed by sufficiently trained personnel.