Companies failing to plan for many cyber dangers

Only 22 percent of companies have a comprehensive plan in place to deal with major security incidents

Only 22 percent of companies have a comprehensive plan in place to deal with major cybersecurity incidents, according to a new survey from KPMG and British Telecom.

Meanwhile, 97 percent said they have been the victims of a digital attack, and 55 percent said that they have seen an increase in cyberattacks.

"Our research is showing us that people don't have a plan that they can turn to if they are under considerable attack," said BT Americas CISO Jason Cook.

In particular, a good plan should include more than just the IT department, he said.

"Do you deliberately mention business functions that are not directly tied into cybersecurity?" he asked. "What does the legal team do? How does vendor management get involved? How do you communicate with partners and customers?"

The plan also has to be continuously reviewed to adapt to the changing security landscape, he added -- it's not enough to come up with a plan and then not look at it again.

In addition, only 23 percent have adequate cyberinsurance in place.

"The rest have either no cyberinsurance, or have inadequate cyberinsurance," he said.

For example, cyberinsurance can typically cover loss and damage to digital assets, business interruption costs associated with system downtime, direct financial losses associated with a cyber fraud or extortion attempt, provision of specialist support to incident management and forensics and investigation, and provision of reputation management services, said David Ferbrache, technical director for cyber security at -based KPMG

Companies should also look for coverage related to problems that relate to their business partners.

"This might cover the damages associated with a security breach which impact a third party such as inability to meet contractual obligations," he said.

Insurance policies may also cover specifically things like physical damage that results from cyber attacks on industrial control systems.

"This has been an issue for oil and gas firms and industrial manufacturing firms," he said.

[ RELATED: Corporate culture hinders cyber insurance buy-in ]

According to the survey, 51 percent of companies also had no strategy for dealing with ransomware and other types of blackmail, said BT's Cook.

The report was based on a survey of 100 CISOs, CIOs and other IT executives at Fortune 500 companies in the US, the UK, Singapore, India and Australia.

In another survey released this week by Tripwire, 93 percent of information security professionals at Infosecurity Europe 2016 said that they expect ransomware attacks to escalate, 56 percent said that ransomware is one of their top three security concerns -- but only 32 percent said they were "very confident" that they could recover from a ransomware infection without losing critical data.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about CSOKPMGTripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

More videos

Blog Posts