The report notes that the top three cyber-attacks continue to be phishing/social engineering, malware and 'spear-phishing' (an email-spoofing attack that targets a specific organisation or individual), while new entrant ransomware sits at number five. With fresh cyberattacks making news headlines on an almost daily basis, it is reassuring that 60% of senior management claim to have a high commitment to cyber resilience.
Around two out of three organisations (64%) reported at least one cyber disruption in the last twelve months, while some 15% had experienced more than ten. More alarmingly, roughly one in six organisations did not know whether a disruption had occurred or not, which suggests a lack of cybersecurity awareness in the organisation and the likely presence of information silos.
The survey of 734 business continuity and risk management professionals reveals that more than two-thirds of those surveyed (67%) take over an hour to respond to a cyber incident, with 16% admitting to a response time of four hours or more. This is a cause for concern as industry experts recommend responding to an incident within the first hour of discovery, commonly known as the 'golden hour'.
In the Middle East & North Africa, the picture is even worse with only 12% taking less than hour to react to a cyber incident and one in three (33%) taking three hours or longer.
The research showed validation is key to building cyber resilience, with 55% of organisations testing their cyber resilience capabilities through exercising while 47% conduct penetration tests.
About a third of the respondents (33%) suffered disruptions costing more than €50,000, while more than one in ten (13%) experienced losses of €250,000 or more. Segmenting the data for small and medium enterprises (SMEs), which made up a quarter of the sample, showed that 18% suffered a disruption of €50,000 or more. Considering that 40% of the SMEs involved in the survey have an annual turnover of less than €1 million, these appear to be significant losses.
On a brighter note, several respondents stated how business continuity is no longer separated from IT and cyber departments, recognition that a sound business continuity plan must take into account the effects of a malicious online attack in order to guarantee continuity in the current threat landscape.
The report concludes with four key findings: