• by Ray Schultz , Columnist, April 12, 2019

Cyber criminals have a wide-open playground in American business. A shocking 77% of companies lack a cybersecurity incident response plan, according to the Cyber Resilient Organization in a study conducted by Ponemon Institute for IBM.

And over half of those that do have a plan fail to follow best practice and test it on a regular basis.

It makes no difference whether companies are hacked or expose via email phishing. The lack of a plan can lead to inability to comply with the GDPR.

Of the companies polled, 46% have not yet achieved full compliance with the GDPR.

“Failing to plan is a plan to fail when it comes to responding to a cybersecurity incident,” states Ted Julian, vice president of product management and co-founder of IBM Resilient.

He adds: “These plans need to be stress-tested regularly and need full support from the board to invest in the necessary people, processes and technologies to sustain such a program.” 

Still, 76% of the respondents place a high value on automation as a defense and 62% on cyber resilience in general.

Ponemon studied 3,655 organizations. Of that sample, 26% score themselves as 9+ on a scale of 1 to 10, making them “high-resistance.”

The safest firms are those with a high level of automation. Of those polled, 23% place themselves in that category — they deploy such tools as identity management and authentication, incident response platforms and security information and event management (SIEM) tools.

In contrast, 77% say they use automation only on a moderate or insignificant basis.

Ponemon also found that 57% of the firms surveyed have had a disruptive cybersecurity incident in the last two years, versus 50% of the high-automation companies.

Overall, 79% have had more than one episode, versus 73% of the high-automation companies.

In addition, 55% of the whole sample have suffered a data breach in which more than 1,000 records were lost, each containing sensitive or confidential customer or business information. But only 48% of the high-automation firms report the same.

Meanwhile, only 30% feel their cybersecurity staffing is sufficient to meet the threat. One reason may be the challenge of finding and retaining personnel — 75% say they face great difficulty in this area. On the positive side, 73% have a chief privacy officer.

The biggest driver of cybersecurity spending? For 56%, it is information loss or threat. In a separate survey, IBM has found that only 20% trust firms they interact to protect their data and privacy.