According to a survey carried out on behalf of Immersive Labs, a large portion of cyber resilient firms are lacking the tools necessary to evaluate their resilience.
Despite the fact that the majority of organizations have a program in place to measure cyber resilience, Immersive Labs research shows that over fifty percent of them do not have a thorough method for doing so.
According to a survey aimed at analyzing company readiness in the face of increasing occurrences, there is a clear need to improve cybersecurity due to external risks.
According to Osterman Research analyst Michael Sampson, who also wrote the whitepaper for the survey, "the rules of engagements for cyberthreat players are continuously innovating to produce disastrous and inevitable situations." Because of this, even though most organizations view cyber resilience as a positive, most organizations currently lack mature methods for establishing, testing, and upgrading cyber resilience.
570 participants in senior risk and safety roles at companies with more than 1000 workers participated in the study, which was commissioned by Osterman Research. The research study was carried out in Germany, the UK, and the US.
Despite the fact that the majority of organizations have a program for measuring cyber resilience, over fifty percent of respondents claimed their organization does not have a complete strategy for doing so.
These programs combine plans, strategies, and infrastructure for cyber resilience, and more than half of them are run internally by organizations. A lesser amount is also delegated to outside parties, for instance consultancies (35%), at the same time.
Companies lack adequate metrics to evaluate cyber resilience, with only 6% of senior risk and security leaders using instructive metrics like reaction time, attack rates, internal information loss, and occurrence rates of different data types. Nearly half of these leaders are unable to demonstrate their team's resilience against attacks via the internet.
Sampson expressed disappointment with the organizations' use of weak metrics to evaluate cybersecurity resilience and capabilities, which is totally unrelated to resilience.
Less than half of organizations reported having the board ask the security staff to present evidence of the company's cyber resilience in the previous six months, according to the survey. The upper tier of the leadership team accounted for 51% of this.
And it was alarming to see businesses report to the board of the company on their cyber security many times a year without metrics, Sampson remarked. "It would be damaging for all people involved to withhold the truth. Organizational boards of directors should start asking documentation and paying closer attention to the elements that go into resilience evaluations.
The main forces behind implementing cyber resilient programs are security risks and problems. Ransomware is a problem for 63% of respondents, while the supply chain along with code exploit-based threats are of concern to 51% and 48%, respectively.
Ransomware, supply chain and outside assaults, and coding vulnerabilities are among the top concerns that organizations have, according to Sampson. These issues are complicated by the immaturity of cyber resilience. The organization has no control over many facets of these attack types, which continue to be chaotic and dynamic.
The survey revealed that one of the main issues is people's mistrust of industry certifications. Almost all organizations (96%) support industry certifications, yet only 32% believe they are beneficial at reducing cyberthreats. Additionally, just 48% of organizations ask candidates with cybersecurity certifications during the hiring process, despite the fact that 96% of them say they want their IT and cybersecurity staff to pursue certifications.
Because only about 27% of those surveyed receive training on a monthly basis, the frequency of instruction in the classroom is also inadequate to properly address cybersecurity concerns.
Besides, Sampson added that training and accreditation play a role in creating competency with a subject matter or product, but they are less well suited to assessing how a person will apply that expertise in interacting with other people in the team.
Despite years of security consciousness training and phishing testing, almost fifty percent of the participants said their staff members would be unsure of how to react to an email that was malicious.
According to Sampson, the time gap between creating certification training material, having people learn it, and evaluating their competency is out of sync with the quickly changing threat landscape, leaving people continually unprepared to deal with contemporary cyberthreats.
The study came to the conclusion that in order for organizations to effectively combat emerging and novel threats in a rapidly changing cybersecurity landscape, they must prioritize cybersecurity initiatives that center on improving knowledge, abilities, and judgment throughout the workforce. At the same time, they must actively evaluate and address levels of resilience and skills gaps in cybersecurity.