Companies are failing to develop, update and execute successful incident response plans in the event of a damaging cyberattack, a new white paper from AT&T Business warns. The report cites a corporate survey of 800 global enterprises in which 81 percent of IT professionals said their companies had an incident response plan in place, but only 34 percent of these respondents felt the plan was effective.
According to the report, entitled The CEO's Guide to Cyberbreach Response, many incident response plans suffer from the lack of a corporate-wide, cross-functional leadership team, while other plans do not undergo testing and tweaking frequently enough.
“They industry as whole is still extremely reactive. The general approach is to [only] get really serious about this after you're breached. They're not prepared beforehand,” Jason Porter, AT&T's vice president of security solutions, told SCMagazine.com.
A strong cross-functional leadership team includes representatives from all relevant departments, including the C-level suite, IT, security, legal and PR, the report stated. Porter noted that third-party cybersecurity partners are too often absent from the table when a company is preparing for its next cyber crisis, as are some C-level executives who fail to take an active role. This often results in “a gap in your response that will at a minimum result in time lost and in the worst-case scenario result in further damage,” said Porter.
Further exacerbating the problem, only nine percent of surveyed companies actually review and update their incident response playbooks more than once per year, while more than one-third admitted their plan hadn't been updated since it was first developed. Another 36 percent acknowledged having no set time period for reviewing plans.
To correct these lapses in the planning process, the AT&T report recommended that at least twice a year, if not quarterly, businesses conduct company-wide “tabletop” exercises that simulate various cyberattack scenarios. “The problem is getting all of [your corporate] constituents, all of those critical parties, to be aware of their roles and how they are going to communicate upon identification of a breach,” said Porter.
A flawed, outdated or insufficient response plan can lead to severe consequences. The report found that enterprises experienced an average of 23 hours of downtime as a result of security incidents in 2015, while small-to-medium-size businesses averaged nearly 14 hours of downtime. In the business world, hours can equate to millions in lost revenues.
Moreover, 62 percent of surveyed businesses said they suffered a data breach sometime between the start of Q2 2015 and the end of Q1 2016. Among these breach victims, 42 percent said these incidents had a negative impact on the business. AT&T also reported receiving a total of 245,000 distributed denial of service (DDoS) attack alerts across its global customer network over that same time span.
IDC conducted the survey on behalf of AT&T.
Ironically, Porter actually found a silver lining in having 62 percent of customers acknowledge a breach in the past year: In a 2014 survey, only one-third of respondents said they experienced a breach – a percentage that AT&T believed was inaccurately low as a result of companies' inability or unwillingness to identify a cybersecurity incident. So yes, they're still getting breached, but “that's a good news story in that they're starting to recognize it.”