Better education on security threats would improve response planning, business leaders say

Despite the demonstrated and ongoing susceptibility of businesses to cyber attacks, four in 10 companies still have not elucidated strategies for responding to future security incidents, an Economist Intelligence Unit (EIU) has found.

The report, entitled Cyber Incident Response: Are Business Leaders Ready?, was sponsored by Arbor Networks and found that 76 per cent of companies had suffered an information-security incident in the last two years but just 17 per cent of businesses are fully prepared for an online security incident.

"When it comes to cyber-attacks, we live in a 'when' not 'if' world," Arbor Networks president Matthew Moynahan said in a statement.

"In the wake of recent high profile targeted attacks in the retail sector, a company's ability to quickly identify and classify an incident, and execute a response plan, is critical to not only protecting corporate assets and customer data, but the brand, reputation and bottom line of the company."

Lack of understanding around the nature and business impact of security breaches was a commonly cited obstacle, with 40 per cent of business leaders arguing that a better understanding of potential threats would help them be prepared and half saying they cannot predict the business impact when a breach occurs.

While the need for better education might suggest that CSOs need to improve their executive education processes, the survey also found that companies tend to be far less organisationally reactive than they should be.

Many companies are waiting until they suffer a security breach before enlisting help, with firms that have suffered an incident in the previous 12 months twice as likely to have an arrangement with outside parties than those that have not suffered a breach. This, despite two-thirds of respondents recognising that responding effectively to an incident has direct benefits for the firm's reputation.

There were signs that awareness is slowly rising, with 80 per cent of companies expecting to have an incident response team and plan in place within the next few years.

"With the source and impact of threats becoming harder to predict, executives should make sure that incident response becomes an organisational reflex rather than just a plan pulled down off the shelf," said James Chambers, senior editor at The Economist Intelligence Unit, in a statement.

Ensuring this sort of organisational reflex will require, among other things, a higher degree of proactivity and sharing – yet the survey found that companies were still reticent to talk about security breaches.

Fully 57 per cent of organisations did not voluntarily report incidents where they weren't required to do so, while only one-third of companies share information about security incidents with other organisations to benchmark their own responses to security incidents.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about Arbor NetworksArbor NetworksEconomist Intelligence UnitEIU

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

More videos

Blog Posts