Business Continuity Institute issues latest edition of Cyber Resilience Report

This year, interviewees whose opinions underpin the report’s content commented that their organisations had been targeted more in the last months. However, organisations seem to be better prepared in relation to preventing cyber attacks thanks to better cyber security systems being in place, more staff being dedicated to the subject of cyber resilience and more extensive training and exercising programmes having been put in place.

Further, the report also finds that the losses incurred as a result of cyber crime are directly proportional to the amount of organisational investment attributed to the topic of cyber security.

There is no more separation between cyber resilience and business continuity, it seems. 19 out of 20 organisations report having business continuity plans in place to deal with cyber security incidents. Indeed, as cyber crime becomes more complex and unpredictable, the importance of inter-departmental collaboration is brought to the fore.

The COVID-19 pandemic has showcased to senior management the need for resilience to be a strategic priority for organisations, with cyber resilience very much a core part of that. Further, with people – rather than technology – being the primary reason for failure, organisations’ entire workforces need to understand the part they play in nurturing a resilient environment.

Popularity of phishing

Phishing remains the most popular way of attacking an organisation, but the greatest concern is now around ransomware. Since 2019, there has been a dramatic increase in ransomware attacks. These attacks have a detrimental consequence on organisations from both a financial and reputational perspective. The strategic impact of these attacks is an increasing concern for top management, particularly so as the criminals become more adept.

Cyber attacks are evolving and becoming more difficult to anticipate. Many attacks in recent years have relied on scripts remaining dormant in an organisation’s system for many months before activation. As organisations are becoming better at discovering such attacks before they have a chance to make an impact, contemporary criminals are starting to favour types of attack which hit corporate systems immediately, in turn leaving organisations with little or no time to prepare.

Strategic integration of cyber risk rather than a focus on systemic risk is becoming the new focus. The BCI’s report shows that successful strategies are becoming more integrated into the organisation, while businesses are also becoming more risk aware and focusing on cyber issues that have the potential to disrupt customers and other stakeholders.

Senior management commitment is vital for limiting the number of attacks and reducing concurrent expenditure. 50% of organisations with a ‘zero’ or ‘low’ level of management commitment to cyber security reported more than five successful attacks on their organisation in the past year compared to just 19.7% of organisations with a ‘high’ level of management commitment.

Further, this exerts a direct impact on costs incurred because of cyber crime. 50% of those organisations who defined their commitment as ‘high’ incurred zero costs because of cyber attacks in the past year, while less than one third (32.6%, in fact) of organisations with a ‘medium’ to ‘zero’ level of commitment recorded zero spend.

Additional study findings

Further findings from the comprehensive study include the following:

*61% of organisations reported the fact that between one and five cyber attacks had successfully penetrated their defences in the past year

*23.2% of organisations would respond to a cyber attack in less than five minutes, whereas 34.8% would take more than an hour and 9.9% the total time of 12 hours or more

*89.7% of organisations questioned do have controls and indicators in place to manage their cyber security risk posture, although only 37.5% admit that they’re well tested and mature

Rachael Elliott, head of thought leadership at the BCI, explained: “It’s encouraging to see management taking a heightened interest in cyber security which, in turn, is ensuring many organisations are able to adopt Best-in-Cass procedures, purchase the latest cyber security technologies and employ the best staff. However, gaps do remain and, for those organisations where the commitment level is low, attacks are more likely to happen as staff struggle with outdated systems and siloed working practices.”

Elliott concluded: “With criminals always attempting to remain one step ahead of corporations, attacks are becoming more serious and more instant in their nature. The maintenance of flowing lines of communication and ensuring that top management are wholly engaged with cyber strategies is vital in order to stay resilient to an ever-more complex cyber landscape.”

Cory Cowgill, chief technology officer at Fusion Risk Management, noted: “Over the last 18 months, organisations have become increasingly concerned about cyber security as criminals adapt their methods to capitalise on changes to how we work, communicate and do business. While employing dedicated cyber security professionals is critical to ensuring cyber resilience, it’s critical that organisations also adopt a cross departmental approach and break down silos to inform cyber security-related business continuity plans and protect against future risks.”

In addition, Cowgill stated: “As we enter ‘the new normal’ and threat actors increase their ransomware use, the prevalence of phishing and socially engineered attacks remains high. Inevitably, this means that enterprise-wide collaboration is going to be crucial for ensuring operational resilience.”