Of the 2,000 IT and IT security professionals surveyed by the Ponemon Institute “75% of respondents admit they do not have a formal cyber security incident response plan (CSIRP) that is applied consistently across the organization” and 51% rated cyber resilience as “very important or essential to achieving a strong security posture.”  The November 2016 Ponemon report entitled “The 2016 Cyber Resilient Organization- Executive Summary” (sponsored by Resilient an IBM company) started with this definition of Cyber Resilience:

The capacity of an enterprise to maintain its core purpose and integrity in the face of cyber attacks.

Networkworld’s November 16, 2016 report entitled “IBM: Many companies still ill-prepared for cyber attacks” highlighted these key results from the Ponemon study:

  • Of those with a CSIRP in place, 52% have either not reviewed or updated the plan since it was put in place, or have no set plan for doing so.
  • 41% say the time to resolve a cyber incident has increased in the past 12 months, compared to only 31% who say it has decreased.
  • 74% say they faced threats due to human error in the past year
  • When examining the past two years, 74% say they have been compromised by malware on a frequent basis, and 64% have been compromised by phishing on a frequent basis
  • 68% don’t believe their organizations have the ability to remain resilient in the wake of a cyberattack
  • 66% aren’t confident in their organization’s ability to effectively recover from an attack
  • 25% have an incident response plan applied consistently across the organization. 23% have no incident response plan at all
  • Only 14% test their incident response plans more than one time per year
  • 66% cite a lack of planning as their organization’s biggest barrier to becoming resilient to cyberattacks
  • 48% say their organization’s Cyber Resilience has either declined (4 percent) or not improved (44%) over the past 12 months
  • 41% say the time to resolve a cyber incident has increased or increased significantly, while only 31% say it has decreased or decreased significantly
  • In 2015, the average cybersecurity budget was $10 million. This increased to an average of $11.4 million. More funding has been allocated to cyber resilience-related activities. In 2015, 26% of the IT security budget was allocated to cyber resilience related activities. This increased to 30% in 2016.

No surprises here, but what are you doing for cyber protection?