NTT Security has released its fifth annual Risk:Value report. Titled ‘Risk:Value 2019, Destination Standstill. Are you asleep at the wheel?’ (registration required) it shows that UK businesses are falling behind how they deal with cyber security incidents. The respondents for this survey were business leaders not members of the IT department. The latter believe that they are doing a good job.
Commenting on the 2019 findings, Azeem Aleem, VP Consulting, NTT Security, said: “The Risk:Value report is an interesting barometer based on responses from those sitting outside of the IT function and is often very revealing. What’s clear is that the world around them is changing, and changing fast, with the introduction of new regulations, integration of new technologies and fast-paced digital transformation projects changing the way we work.
“What’s concerning though is that organisations seem to have come to a standstill in their journey to cybersecurity best practice – and it’s particularly worrying to see UK businesses falling behind in some critical areas like incident response planning.”
Where is the disconnect coming from?
That’s a good question. In many areas the business and IT seem to agree on the problem. 90% of UK respondents, for example, say that strong cybersecurity is important to their business in the next year. It ranks higher than growing profit and revenue. This means that the disconnect between IT and the business seems to be more about implementation than acceptance.
UK respondents see threats to critical national infrastructure (CNI) as being more of an issue than the loss of company data. CNI covers power and telecoms and while businesses are reliant on both, any failure here would be outside their control. The loss of data, however, is a major compliance issue and something that could have disastrous consequences for businesses.
One area that needs some explanation is GDPR. Despite all the fanfare, only 30% of respondents globally thought it applied to them. In the UK it is 48%, while Spain (55%) and Italy (50%) seem to be taking it more seriously. It’s hard to understand why less than half of UK business people think GDPR is not relevant. Compare this number to IT respondents at cybersecurity conferences over the last year and that number is in the 80-90% range.
Incident Response a good example of the disconnect
Another disconnect is what to do when it all goes wrong. Incident response plans are often seen as being an IT issue. After all, cybersecurity is down to IT and if something goes wrong, they will fix it, right? Wrong!
Most incident response plans are multidisciplinary. To be effective, they draw on people from across the business. This mean that there are more business users than IT staff involved in an incident.
What this result shows is that companies are not communicating who is part of the incident response process. When someone moves into a new role, they need to know that they are part of that response team. If companies were rehearsing or keeping their incident response plans up to date, this would not be an issue.
This is something that Kai Grunwitz, Senior VP EMEA for NTT Security talked about in a recent podcast with Enterprise Times.
Paying cybercriminals when Ransomware strikes is a thing
While Ransomware is not getting the headlines it did a few years ago, it has not gone away. It has been overtaken in terms of the number of attacks by cryptomining. However, as the case of Norsk Hydro showed, it is still alive and kicking.
Ransomware is still enjoying success in the US where as many cities are willing to pay to get their data back as are not prepared to pay. When the question was asked in this report, the number willing to pay was the same as last year at 33%. If that number is cause for concern, the fact that they are willing to pay a ransom because it is “cheaper than investing in cybersecurity” shows that the C-Suite has lost its way.
Compounding that problem, 36% were willing to pay a ransom rather than admit they’d had a problem and pay the appropriate compliance fee. It’s hard to square off the claim that compliance is so important to businesses if they are willing to pay off cybercriminals. It suggests that regulators need to do more to deal with this disconnect.
Enterprise Times: What does it mean
At 18 pages, this is far from the longest report that most people will have to read this year. However, it is something that IT and the C-Suite will want to sit down and mull over. That we have such a significant disconnect between the two sides of the business is more than just a problem, it has the potential to be business ending.
The report demonstrates just how wide the gulf is between IT and the business. Both parts of the business are aware of the threat from cyber criminals. In the UK, 54 percent said that cyber attacks on the organisation are one of the top three challenges for the business in the next 12 months. It seems, therefore, that they both agree on the problem, what they don’t agree on is how it is being dealt with.
Quite how this gets resolved is hard to see. Perhaps a refocusing on what is required and a simplification of the processes would help. Another possible solution would be to better engage the business in how to create and apply those processes. One thing that does need to be addressed is the too common problem of making every mistake career ending. Users click on links and IT needs to deal with it. Take away the fear of making a mistake and engage in the why and the how and this gap can be closed.