Three-quarters of organizations have fallen prey to at least one cyber attack in the past year
The BCI has released the latest edition of its Cyber Resilience Report, sponsored by Fusion Risk Management. This aim of this publication is to benchmark disruption levels and Cyber Resilience arrangements across organizations. It is also delving into more detail about reporting and the role of the senior executive in cyber resilience strategies.
This year, interviewees of the report commented that their organizations had been targeted more in the last months. However, organizations seem to be better prepared in preventing cyber attacks thanks to better cyber security systems in place, more staff dedicated to Cyber Resilience and more extensive training and exercising programmes. The report also found that the losses incurred as a result of cyber crime are directly proportional to the amount of organizational investment in cyber security.
There is no more separation between Cyber Resilience and Business Continuity – 19 out of 20 organizations report having BC plans in place to deal with cyber security incidents. Indeed, as cyber crime becomes more complex and unpredictable, the importance of inter-departmental collaboration comes to the fore. The recent pandemic has showcased senior management the need for resilience to be a strategic priority for organizations, and Cyber Resilience is a core part of that. Furthermore, with people, rather than technology, being the primary reason for failure, organizations’ entire workforces need to understand the part they play in nurturing a resilient environment.
Phishing remains the most popular way of attacking an organization, but the greatest concern is Ransomware. Since 2019, there has been a dramatic increase in ransomware attacks. These attacks have a detrimental consequence on organizations from both a financial and reputational perspective. The strategic impact of these attacks is an increasing concern to top management – particularly as criminals become ever more adept.
Cyber attacks are evolving and becoming more difficult to anticipate. Many attacks in recent years have relied on scripts remaining dormant in an organization’s system for many months before activation. As organizations are becoming better at discovering such attacks before they have a chance to make an impact, contemporary criminals are starting to favour attacks which hit systems immediately, which leave organizations with little or no time to prepare.
Strategic integration of cyber risk rather than a focus on systemic risk is becoming the new focus. The report shows that successful strategies are becoming more integrated into the organization, whilst also being more risk aware and focusing on cyber issues that have the potential to disrupt customers and other stakeholders.
Top management commitment is vital for limiting the number of attacks and reducing concurrent expenditure. 50.0% of organizations with a ‘zero’ or ‘low’ level of management commitment to cyber security reported more than five successful attacks on their organization in the past year compared to just 19.7% of organizations with a ‘high’ level of management commitment. This further has a direct impact on costs incurred because of cyber crime: 50.0% of organizations who defined their commitment as ‘high’ incurred zero costs because of cyber attacks in the past year whilst less than a third (32.6%) of organizations with a ‘medium’ to ‘zero’ level of commitment recorded zero spend.
Other findings from the report include:
- 61% of organizations reported between one and five cyber attacks had successfully penetrated their defences in the past year.
- Response to a cyber attack: 23.2% of organizations would respond in less than five minutes whereas 34.8% would take more than an hour and 9.9% taking 12 hours or more.
- 89.7% of organizations do have controls and indicators in place to manage their cyber security risk posture, although only 37.5% admit they well tested and mature.
Rachael Elliott, Head of Thought Leadership at the BCI, said “It is encouraging to see management taking a heightened interest in cyber security which, in turn, is ensuring many organizations are able to adopt best-in-class procedures, purchase the latest cyber security technologies and employ the best staff. However, gaps do remain and, for those organizations where commitment is low, attacks are more likely to happen as staff struggle with outdated systems and siloed working practices. With criminals always attempting to stay one step ahead of corporations, attacks are becoming more serious – and more instant. Keeping flowing lines of communication and ensuring top management are wholly engaged with cyber strategies is vital to stay resilient to an ever more complex cyber landscape.”
Cory Cowgill, Chief Technology Officer, Fusion Risk Management said “Over the last 18 months, organizations have become increasingly concerned about cybersecurity as criminals adapt their methods to capitalize on changes to how we work, communicate and do business. While employing dedicated cybersecurity professionals is critical to ensuring cyber resilience, it’s critical that organizations adopt a cross departmental approach and break down silos to inform cybersecurity-related business continuity plans and protect against future risks. As we enter ‘the new normal’ and threat actors increase their ransomware use, the prevalence of phishing and socially engineered attacks remains high, which means enterprise-wide collaboration is crucial to ensure operational resilience.”