Companies failing to plan for many cyber dangers

Only 22 percent of companies have a comprehensive plan in place to deal with major security incidents

Only 22 percent of companies have a comprehensive plan in place to deal with major cybersecurity incidents, according to a new survey from KPMG and British Telecom.

Meanwhile, 97 percent said they have been the victims of a digital attack, and 55 percent said that they have seen an increase in cyberattacks.

"Our research is showing us that people don't have a plan that they can turn to if they are under considerable attack," said BT Americas CISO Jason Cook.

In particular, a good plan should include more than just the IT department, he said.

"Do you deliberately mention business functions that are not directly tied into cybersecurity?" he asked. "What does the legal team do? How does vendor management get involved? How do you communicate with partners and customers?"

The plan also has to be continuously reviewed to adapt to the changing security landscape, he added -- it's not enough to come up with a plan and then not look at it again.

In addition, only 23 percent have adequate cyberinsurance in place.

"The rest have either no cyberinsurance, or have inadequate cyberinsurance," he said.

For example, cyberinsurance can typically cover loss and damage to digital assets, business interruption costs associated with system downtime, direct financial losses associated with a cyber fraud or extortion attempt, provision of specialist support to incident management and forensics and investigation, and provision of reputation management services, said David Ferbrache, technical director for cyber security at -based KPMG

Companies should also look for coverage related to problems that relate to their business partners.

"This might cover the damages associated with a security breach which impact a third party such as inability to meet contractual obligations," he said.

Insurance policies may also cover specifically things like physical damage that results from cyber attacks on industrial control systems.

"This has been an issue for oil and gas firms and industrial manufacturing firms," he said.

[ RELATED: Corporate culture hinders cyber insurance buy-in ]

According to the survey, 51 percent of companies also had no strategy for dealing with ransomware and other types of blackmail, said BT's Cook.

The report was based on a survey of 100 CISOs, CIOs and other IT executives at Fortune 500 companies in the US, the UK, Singapore, India and Australia.

In another survey released this week by Tripwire, 93 percent of information security professionals at Infosecurity Europe 2016 said that they expect ransomware attacks to escalate, 56 percent said that ransomware is one of their top three security concerns -- but only 32 percent said they were "very confident" that they could recover from a ransomware infection without losing critical data.

Join the CSO newsletter!

Error: Please check your email address.

More about CSOKPMGTripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts