Only one out of ten businesses have implemented all four baseline cybersecurity measures: response plans, self-defence plans, cyber awareness training and cyber hygiene.
What does the survey show?
Typical baseline cybersecurity measures include response plans, self-defence plans, cyber awareness training and cyber hygiene.
Fifty-three percent of the respondents indicate that they have a fully implemented self-defence plan, and 44% indicate that they have a fully implemented response plan. Forty-three percent of the respondents say that they conduct regular awareness training, and 37% say that cyber hygiene is fully implemented. Only 9% of the respondents indicate that they have all four cyber measures fully implemented.
Q: Which of the following is implemented in your organisation in order to improve your cyber and information security?
As investments in new technology grow, so does the potential attack surface, enabling cyber criminals to exploit weaknesses. Therefore, it is alarming that only around one out of ten businesses in the financial sector have implemented all four baseline cybersecurity measures. In an increasingly digitised and interconnected world, it is crucial that businesses are protected by robust and resilient cybersecurity defences. The number is also surprising given the positive self-evaluation elsewhere in the survey where 72% have rated the level of their own cybersecurity as 7 or higher on a scale from 0 to 10, 10 being the most mature. Thus, there is a risk of the businesses overestimating their own cybersecurity capabilities, operating with a false sense of confidence in their cyber defence.
According to Deloitte’s cyber experts, cyber hygiene and awareness training are fundamental and elementary initiatives that are crucial to any organisation’s cyber resiliency. Also, it is a necessity to have both a strategic plan and an operational plan for how you should defend yourself against the threats you are facing. If you do not have a response plan that tells you how to act when a cyber-attack strikes you, you are not as resilient as you might feel you are. Ideally, such plans need to be in writing, and you need to test them frequently to make sure that you are ready for when – not if – your organisation is hit by a cyber-attack.
There are plenty of low-hanging fruits that can be harvested relatively easily to strengthen cyber defence and resiliency. For instance, many organisations need to operationalise the knowledge, plans or procedures that already exist within the organisation but have not yet been documented or tested.
The bigger picture
Strategic self-defence plan
An operational and strategic plan to defend an organisation against cyber threats starts with a detailed threat assessment, weighing the likelihood of the threats materialising and conducting analyses and penetration tests to map and expose the organisation’s vulnerabilities. As a next step, security efforts must be prioritised; a budget has to be drawn up; and the strategically most important actions to be taken before, during and after a cyber-attack need to be identified and operationalised.
Several major organisations and businesses are lagging behind technologically as older systems pose a significant security risk. Structured and frequent cyber hygiene, including a sound vulnerability and patch management programme significantly increases the level of cybersecurity.
Incident response plan
A good security incident response plan outlines several plausible security incident scenarios combined with an overview of the detailed steps that need to be taken to mitigate the threat. The plan must clearly identify key roles and responsibilities necessary to respond to a security incident. It then needs to be tested through red-team exercises and war gaming. Additionally, the incident response plan needs to align with other contingency plans in case of major incidents.
The Centre for Cybersecurity (CFCS) of Denmark estimates that “unconscious insiders” are involved in up to half of the security incidents recorded, which underlines the importance of conducting awareness training frequently. Organisations that are furthest ahead in this area utilise gamification or real-time awareness training to increase the efficacy of the training.