A new report is shedding light on how unprepared many businesses are towards online security threats.
The new cyber incident response report, carried out by the Economist Intelligence Unit and sponsored by security firm Arbor Networks, includes the results of a survey of 360 senior business leaders in North America, Europe and Asia-Pacific.
Based on responses, only 17 percent of businesses are fully prepared for an online security incident and over a third of firms (38 percent) have no incident response plan in place.
Meanwhile, the likelihood of encountering a security incident is high, with 77 percent of companies surveyed suffering at least one incident in the past two years.
“In the wake of recent high profile targeted attacks in the retail sector, a company’s ability to quickly identify and classify and incident, and execute a response plan, is critical to not only protecting corporate assets and customer data, but the brand, reputation and bottom line of the company,” Arbor Networks president Matthew Moynahan said in a statement.
However, the study focuses not only on highly public security incidents like the attack on Target before the holidays last year, or the outages plaguing the Royal Bank of Scotland in 2012, but also on smaller attacks that may pass by unnoticed.
Understandably, falling prey to online attacks remains somewhat of a taboo. When not legally required to report them, 57 percent of organisations choose not to voluntarily disclose security incidents. And only a third of companies share information about incidents with other organizations to spread best practice and benchmark their own response.
But there seems to be increasing internal pressure to deal with attacks. The report anticipates that more than 80 percent of organization will have an incident response team and plan in place in the next few years.
“There is an encouraging trend towards formalizing corporate incident response preparations,” EIU senior editor James Chambers said in a statement. “But with the source and impact of threats becoming harder to predict, executives should make sure that incident response becomes an organizational reflex rather than just a plan pulled down off the shelf.”
According to the report, the response plans of attack-ready firms are typically led by the IT department, but also draw upon external resources such as IT forensic experts, specialist legal advisers and law enforcement experts.
Companies would be wise to increase their security responsiveness not only to protect their data, but also their reputation, given that the handling of these incidents often have a way of becoming known to the public.