Cyber resilience requires board commitment

Cyber attacks are evolving and becoming more difficult to anticipate. This is according to the latest Cyber Resilience Report from the BCI, sponsored by Fusion Risk Management. 

Interviewees of the report commented that their organisations had been targeted more in the last months. However, they seem to be better prepared in preventing cyber attacks thanks to better cyber security systems in place, more staff dedicated to cyber resilience and more extensive training and exercising programmes.

Strategic integration of cyber risk rather than a focus on systemic risk is becoming the new focus. The report shows that successful strategies are becoming more integrated into the organisation, whilst also being more risk aware and focusing on cyber issues that have the potential to disrupt customers and other stakeholders.

Top management commitment is vital for limiting the number of attacks and reducing concurrent expenditure.

Half of organisations with a ‘zero’ or ‘low’ level of management commitment to cyber security reported more than five successful attacks on their organisation in the past year compared to just 19.7% of organisations with a ‘high’ level of management commitment.

Rachael Elliott, head of thought leadership at the BCI, said “It is encouraging to see management taking a heightened interest in cyber security which, in turn, is ensuring many organisations are able to adopt best-in-class procedures, purchase the latest cyber security technologies and employ the best staff.

”However, gaps do remain and, for those organisations where commitment is low, attacks are more likely to happen as staff struggle with outdated systems and siloed working practices.

”With criminals always attempting to stay one step ahead of corporations, attacks are becoming more serious – and more instant.

“Keeping flowing lines of communication and ensuring top management are wholly engaged with cyber strategies is vital to stay resilient to an ever more complex cyber landscape.”

The report also found that the losses incurred as a result of cyber crime are directly proportional to the amount of organisational investment in cyber security.

Other findings include:

• 61% of organisations reported between one and five cyber attacks had successfully penetrated their defences in the past year;
• Response to a cyber attack: 23.2% of organisations would respond in less than five minutes whereas 34.8% would take more than an hour and 9.9% taking 12 hours or more, and
• 89.7% of organisations do have controls and indicators in place to manage their cyber security risk posture, although only 37.5% admit they well tested and mature.

Cory Cowgill, chief technology officer, Fusion Risk Management said “Over the last 18 months, organisations have become increasingly concerned about cybersecurity as criminals adapt their methods to capitalise on changes to how we work, communicate and do business.

“While employing dedicated cybersecurity professionals is critical to ensuring cyber resilience, it’s critical that organizations adopt a cross departmental approach and break down silos to inform cybersecurity-related business continuity plans and protect against future risks.

”As we enter ‘the new normal’ and threat actors increase their ransomware use, the prevalence of phishing and socially engineered attacks remains high, which means enterprise-wide collaboration is crucial to ensure operational resilience.”

There is no more separation between cyber resilience and business continuity – 19 out of 20 organisations report having BC plans in place to deal with cyber security incidents.

Indeed, as cyber crime becomes more complex and unpredictable, the importance of inter-departmental collaboration comes to the fore.

The pandemic has showcased senior management the need for resilience to be a strategic priority for organisations, and cyber resilience is a core part of that.

Furthermore, with people, rather than technology, being the primary reason for failure, organizations’ entire workforces need to understand the part they play in nurturing a resilient environment.

Phishing remains the most popular way of attacking an organisation, but the greatest concern is ransomware.

Since 2019, there has been a dramatic increase in ransomware attacks. These attacks have a detrimental consequence on organisations from both a financial and reputational perspective.

The strategic impact of these attacks is an increasing concern to top management – particularly as criminals become ever more adept.

Many attacks in recent years have relied on scripts remaining dormant in an organisation’s system for many months before activation.

As organisations are becoming better at discovering such attacks before they have a chance to make an impact, contemporary criminals are starting to favour attacks which hit systems immediately, which leave organisations with little or no time to prepare.