The lack of a consistent CSIRP is a persistent trend each year
The General Data Protection Regulation (GDPR) takes effect in May 2018 and will mandate that organizations have an incident response plan in place. At least 77% of respondents said in a new study condcted by Ponemon Institute and sponsored by IBM Resilient, do not have an incident response plan that is applied consistently across the entire enterprise. Most countries surveyed do not report confidence in their ability to comply with GDPR. A report by research firm Gartner in November last year, also alluded to the fact that less than 50% of all organizations impacted will fully comply by the GDPR deadline of 25th March, 2018. The GDPR regulation levies steep penalties of up to EUR 20 million or 4% of global annual turnover, whichever is higher, for non-compliance. The language in the guideline uses the word “reasonable” to indicate the level of data protection and privacy that companies should observe towards EU citizens.
The study has also found that 77% of respondents admit they do not have a formal cyber security incident response plan (CSIRP) applied consistently across their organization. Nearly 50% of the 2800 respondents have said that their incident response plan is either ad hoc or completely non-existent.
However, 72% of organizations this year feel more cyber resilient in 2018 than they were last year. This confidence, the survey reveals, is due to their ability to hire skilled personnel. This confidence may be misplaced, with the analysis revealing that 57% of respondents said the time to resolve an incident has increased, while 65% reported the severity of the attacks has increased.
Some of the key factors impacting overall cyber resiliency include:
- Lack of an adequate Cyber Resilience budget in place(69%)
- Difficulty retaining and hiring IT Security professionals (77%)
- Lack of investment in AI and machine learning as the biggest barrier to cyber resilience (60%)
The lack of a consistent CSIRP is a persistent trend each year despite a key finding from IBM’s 2017 Cost of a Data Breach Study. The cost of a data breach was nearly USD 1 million lower on average when organizations were able to contain the breach in less than thirty days – highlighting the value and importance of having a strong CSIRP. The survey has found that these organizations have had a CISO in place for three years or less. 23% report they do not currently have a CISO or security leader.