Organizations’ cyber resilience efforts fail to keep up with evolving threats
A steady increase in cyberattacks and evolving threat landscape are resulting in more organizations turning their attention to building long-term cyber resilience; however, many of these programs are falling short and fail to prove teams’ real-world cyber capabilities, according Immersive Labs.
The report found that while 86% of organizations have a cyber resilience program, 52% of respondents say their organization lacks a comprehensive approach to assessing cyber resilience.
Growing importance of cybersecurity in 2023
Strengthening cyber capabilities tops the list of strategic priorities for organizations in 2023, with increasing the cyber resilience of cybersecurity team members (83%) and the general workforce (75%) identified as the two highest overall focus areas.
Organizations have taken steps to deploy cyber resilience programs; however, 53% of respondents indicate the organization’s workforce is not well-prepared for the next cyberattack (of any kind) and just over half say they lack a comprehensive approach to assessing cyber resilience. These statistics indicate that although cyber resilience is a priority and programs are in place, their current structure and training are ineffective.
“Cyber resilience is at the top of everyone’s mind today, amid an evolving threat landscape where ransomware, supply chain risks, and vulnerabilities are chief among security leaders’ concerns. And while it’s promising to see organizations and leaders implementing tactics and programs to increase cyber resilience, many unfortunately are still missing the mark,” said James Hadley, CEO of Immersive Labs.
“Despite all the classroom training and certifications, half of respondents indicate that employees, cybersecurity teams, and the organization are under-prepared. It’s clear that current programs need to be restructured to drive a successful cyber resilience agenda,” added Hadley.
Organizations concerned about workforce response to cyber incidents
For every two out of three organizations, there is a lack of confidence that 95% of their workforce will not know how to recover from a cyber incident.
High-priority tasks include maintaining business operations without the availability of core IT systems, handling urgent tasks using manual processes, and not exacerbating the recovery process by connecting compromised devices to the network.
Industry certifications fall short in building cyber resilience
While almost all organizations encourage industry certifications, only 32% say they are effective at mitigating cyber threats. Classroom training is offered too infrequently to be effective, with only around a quarter (27%) of respondents indicating they are receiving monthly training.
46% of respondents say their employees would not know what to do if they received a phishing email, despite years of security awareness training and phishing tests.
Lack of informative metrics in cybersecurity
Having the right metrics in place to prove cyber resilience amongst teams is important, particularly as Boards and C-level executives are looking for concrete evidence.
Despite this, 46% of senior security and senior risk leaders say they do not have the metrics they need to fully demonstrate their workforce’s resilience in the face of a cyberattack.
Only around 6% of organizations are using informative metrics – such as response times – to address vulnerabilities, track intrusion rates, metrics on internal data loss, and incidence rates of various threat types.
Raising awareness around the importance of cyber resilience
During the past six months, a request for the security team to prove the organization’s cyber resilience was only made by the Board at less than half (46%) of organizations.
For the senior leadership team, at 51% of organizations. Raising awareness around the importance of cyber resilience is an important step in gaining more support from these critical leaders.
When communicating with the Board and senior leadership, security and risk leaders should embrace cyber resilience messaging, rather than focusing on the status of piecemeal inputs, such as deploying new cybersecurity solutions.
“Any legacy cyber training approach that cannot deliver continuous exercising is not fit for purpose given the realities of today’s evolving cyberthreats,” added Hadley. “As organizations work to strengthen their cyber resilience agenda, they should focus on continuous assessment and building cyber skills and proving stronger outcomes. We need a renewed focus on better cybersecurity capability solutions and cultivating a workforce with the expertise to handle the real-world impact demands of new and emerging threats.”