Despite the demonstrated and ongoing susceptibility of businesses to cyber attacks, four in 10 companies still have not elucidated strategies for responding to future security incidents, an Economist Intelligence Unit (EIU) has found.
The report, entitled Cyber Incident Response: Are Business Leaders Ready?, was sponsored by Arbor Networks and found that 76 per cent of companies had suffered an information-security incident in the last two years but just 17 per cent of businesses are fully prepared for an online security incident.
"When it comes to cyber-attacks, we live in a 'when' not 'if' world," Arbor Networks president Matthew Moynahan said in a statement.
"In the wake of recent high profile targeted attacks in the retail sector, a company's ability to quickly identify and classify an incident, and execute a response plan, is critical to not only protecting corporate assets and customer data, but the brand, reputation and bottom line of the company."
Lack of understanding around the nature and business impact of security breaches was a commonly cited obstacle, with 40 per cent of business leaders arguing that a better understanding of potential threats would help them be prepared and half saying they cannot predict the business impact when a breach occurs.
While the need for better education might suggest that CSOs need to improve their executive education processes, the survey also found that companies tend to be far less organisationally reactive than they should be.
Many companies are waiting until they suffer a security breach before enlisting help, with firms that have suffered an incident in the previous 12 months twice as likely to have an arrangement with outside parties than those that have not suffered a breach. This, despite two-thirds of respondents recognising that responding effectively to an incident has direct benefits for the firm's reputation.
There were signs that awareness is slowly rising, with 80 per cent of companies expecting to have an incident response team and plan in place within the next few years.
"With the source and impact of threats becoming harder to predict, executives should make sure that incident response becomes an organisational reflex rather than just a plan pulled down off the shelf," said James Chambers, senior editor at The Economist Intelligence Unit, in a statement.
Ensuring this sort of organisational reflex will require, among other things, a higher degree of proactivity and sharing – yet the survey found that companies were still reticent to talk about security breaches.
Fully 57 per cent of organisations did not voluntarily report incidents where they weren't required to do so, while only one-third of companies share information about security incidents with other organisations to benchmark their own responses to security incidents.