Organisations must invest more in incident response planning

We’ve all seen the damage that data breaches and other disruptive incidents can cause. There are the delays in productivity, the PR circus, legal fees and the costs of notifying and assisting affected data subjects. To mitigate the damage, organisations should adopt cyber resilience. This is a framework that addresses how disruptive incidents can be prevented and what to do if your defences fail.

With the number of threats rising each year and organisations struggling to prevent them, cyber resilience is quickly becoming essential to the way organisations do business. However, there are still too many senior staff who are overconfident in their ability to prevent incidents.

Ponemon Institute’s Third Annual Study on the Cyber Resilient Organization found that respondents spend 44% of their cyber resilience budget on preventing incidents and 26% on detecting them. By contrast, organisations invested only 15% of their budget on containing breaches, 11% on remediating them and 4% on post-incident response.

Planning for disaster

Organisations are often reluctant to plan for the worst, arguing that if the majority of its resources were directed towards prevention, it wouldn’t need to plan for failure at all. Unfortunately, this simply isn’t how cyber security works. Attacks are an inevitability, and organisations need to accept this to have any chance of avoiding disruptions.

We’re not suggesting everyone should be funnelling the money budgeted to prevention into response. Ponemon Institute’s report indicates that, even though prevention and detection accounts for 70% of organisations’ cyber resilience budgets, this still isn’t adequate. Only 31% of respondents said their budget was sufficient, with many citing the lack of investment in technologies and skilled personnel.

It’s therefore clear that organisations need to provide more funding at all levels. There’s a good chance this will happen, as the report found significant growth in the awareness of cyber resilience, and senior staff are recognising its effectiveness. In Ponemon Institute’s 2016 report, 52% of respondents said their cyber resilience processes had improved in the past 12 months; this jumped to 72% in the 2017 report.

The NIS Regulations

Another reason for the uptick in cyber resilience is that its methodology helps organisations comply with the Network and Information Systems (NIS) Regulations, the new law designed to protect critical infrastructure.

The NIS Regulations state that operators of essential services (OES) and digital service providers (DSPs) must:

  • Implement appropriate technical and organisational measures to secure their network and information systems;
  • Account for the latest developments and consider the security risks in their systems;
  • Take appropriate measures to ensure service continuity in the event of security incidents; and
  • Promptly notify the relevant supervisory authority of any significant security incident.

More info on cyber resilience and the NIS Regulations

You can learn more about the NIS Regulations and how cyber resilience can help by reading our NIS Regulations compliance guide. This free green paper covers:

  • The NIS Regulations’ requirements and the UK government’s implementation approach;
  • The proposed assurance regime;
  • Which organisations are in scope;
  • The proposed security requirements for compliance; and
  • How you can implement a compliance programme to meet the NIS Regulations’ requirements.

You might also be interested in our NIS Regulations infographic, which breaks down the key information into bite-sized chunks and is an ideal reference tool.