More than two-thirds of IT managers experienced a security breach or incident in the past 24 months.
According to the study “Cyber Security Incident Response: Are we as prepared as we think?”, from the Ponemon Institute and Lancope which surveyed 674 IT security professionals, found that CEOs and members of management teams are in the dark about potential cyber attacks against their companies.
Mike Potts, president and CEO of Lancope, said that headlines from 2013 show that today’s enterprises are ill-equipped to identify and halt sophisticated attacks launched by nation-states, malicious outsiders and determined insiders.
“Now is the time for C-level executives and IT decision-makers to come together and develop stronger, more comprehensive plans for incident response. This communication is critical if we want to reduce the astounding frequency of high-profile data breaches and damaging corporate losses we are seeing in the media on a near-daily basis,” he said.
The study found that 46 per cent say that another incident is imminent and could happen within the next six months, while 80 per cent of respondents do not frequently communicate with executive management about potential cyber attacks against their organisation.
Mark Brown, director or risk advisory at EY, said: “Any sector that deals with intellectual or valuable property will be targeted, so it becomes an economic rather than cyber battle and, if this is the case, a security manager can protect for a tenth of the cost.
“As boardrooms take notice, we see demand for security auditors and this has increased in the last 12 months and this is going one way, as there are too few people.”
The Lancope report also found that organisations are not measuring the effectiveness of their incident response efforts, as 50 per cent of the respondents said that they did not have meaningful operational metrics to measure the overall effectiveness of incident response. While most organisations could identify a security incident within a matter of hours, it takes an entire month on average to work through the process of incident investigation, service restoration and verification.
The Lancope and Ponemon study also found that half of all respondents say that less than ten per cent of their security budgets are used for incident response activities, while the majority said that their incident response budgets have not increased in the past 24 months.
TK Keanini, CTO of Lancope, said: “While incident response is what this has been labeled, at the business level where executive and board level conversations are taking place, this is an issue of business continuity. Give any VP or executive the choice between catching the bad guy and business continuity when a cyber event occurs, and I’ll bet the latter wins every time.”