KPMG: Business confidence on cyber preparedness is falling
Only one in five IT leaders commit to being “very well” positioned to deal with attacks, a 28 per cent drop…
Despite the volume of high profile recent cyber security issues raising awareness to record levels, business preparedness has not kept in step at all, according to experts at KPMG. In fact, incidents such as Bad Rabbit, or the large documented rise in phishing attacks seem to have had little impact at all.
It turns out that only one in five IT leaders (21 per cent) agree that they are “very well” positioned to manage an imminent cyber attack, a figure that is down 4 per cent from last year, and down 28 per cent in the last four years. This slide in competence was further highlighted by the prevalence of the threat - almost a third of respondents (32 per cent) said their company has been subject to a major IT security incident or cyber attack in the last two years. That figure represents a rise of 14 per cent in 12 months, and a relatively concerning 45 per cent rise in just four years.
The Harvey Nash/KPMG CIO Survey 2017 ascribed the drop in preparedness in the face of rising compromises as being down to the pace of change, which is impacting on businesses ability to mature their cybersecurity programs. Core business issues such as speed to market married to the evolving threat landscape and technological change have created a series of barriers to performing appropriate due diligence over cyber risks and considerations, summarised the report.
Ilia Kolochenko, security expert and CEO, High-Tech Bridge, said: “Cybersecurity is not rocket science and is mainly based on common sense. First of all, one needs to locate all digital assets of a company including hardware, software, users, data and licenses. It’s a challenging task in the era or cloud, outsourcing and mobile, however it’s a quintessential and unavoidable step to take before spending on cybersecurity. Without it, you pour money down the drain.
“Once you have a comprehensive and up2date inventory of your digital assets, it’s the right time to a perform holistic risk assessment and prioritization. Further, you need to prepare an actionable risk-based mitigation plan with clear deadlines and responsibilities assigned to the right people with necessary authority and budgets. Continuous monitoring and measurement of threat and risk mitigation is vitally important, as well as continuous monitoring of new assets and vulnerabilities. Cybersecurity is a 24/7 process of continuous improvement, not a set of yearly actions to address on the ad hoc basis.”
The analyst team at KPMG made three central recommendations along complementary lines, designed to manage cyber risk:
- Make sure IT is more integrated with the business than ever before. IT leaders must be at the table for strategic conversations, not relegated to a fulfilment role.
- Embed cyber thinking into rapid application development. Once critical assets to be protected are fully defined, it is easier to integrate security via a (DevOps) cycle.
- Implement a constant monitoring program with a robust governance matrix. Learning from incidents is vital, and having a framework for continuous monitoring and resulting integration into the next round of business transformation and daily operations is core to allowing cyber risk management to grow, rather than being siloed within individual projects.