IBM report: Security response improving - containing attacks, not so much
Organisations have improved their detection of and response to cybersecurity in the last five years, yet their ability to contain an attack has dropped by 13% during the same period of time, according to new data from IBM Security.
It's indicative of a space in which 74% of organisations report having either ad-hoc, inconsistently applied, or non-existent security plans, despite generally improving responses to attacks.
The survey, conducted by the Ponemon Institute, gleaned insights from over 3,400 global security and IT professionals and discovered several different contributing factors leading to lapses in security response efforts, including the use of too many security tools and a lack of planning.
The latter factor was crucial for many organisations, says IBM Security, with companies that have incident response teams spending $1.2 million less on data breaches than those without.
“While more organisations are taking incident response planning seriously, preparing for cyber-attacks isn't a one and done activity,” says IBM X-Force Threat Intelligence vice president Wendi Whitmore.
“Organisations must also focus on testing, practicing and reassessing their response plans regularly. Leveraging interoperable technologies and automation can also help overcome complexity challenges and speed the time it takes to contain an incident.”
The IBM report outlines three specific factors affecting the overall security response for organisations: having an updated playbook for threats, complexity or quantity of security tools used, and presence of an effective plan.
Even amongst the organisations with a formal cybersecurity incident response plan (CSIRP), only 33% had playbooks for specific attack types.
Different kinds of cyber-attacks call for different kinds of response strategies, and instituting playbooks can provide predictability and consistency to action plans, especially for an organisation's most common attacks.
Of those with concrete security response plans, 52% admit never having reviewed them. IBM says that the increasing proficiency and sophistication of attacks should prompt organisations guilty of this to review their potentially outdated response plans.
Respondents reported using, on average, around 45 different security tools, with each separate security incident requiring coordination between 19 tools on average.
This excess of solutions does not result in better security – in fact, those using more than 50 tools ranked themselves 8% lower in their ability to detect an attack (5.83/10 vs. 6.66/10), and around 7% lower when it comes to responding to an attack (5.95/10 vs. 6.72/10).
IBM says the adoption of complexity-reducing automation tools can help solve this problem – 63% of high-performing organisations surveyed said the use of interoperable tools helped them improve their response to cyber-attacks.
39% of respondents who have a CSIRP experienced an incident that resulted in significant disruption, compared to 62% of respondents without such a plan.
Technology also plays a large part in cyber resilience. Organisations with higher levels of resilience cited visibility into applications and data (57%) and automation tools (55%) as the top two factors for improving resilience.
Overall, the data suggests that surveyed organisations that were more mature in their response preparedness relied more heavily on technology innovations to become more resilient.