Cyber resilience programmes fall short according to study
by Tina Siering
Why cyber resilience is at the top of the list of strategic business objectives
The 2023 Cyber Workforce Resilience Trend Report by Immersive Labs, an employee-centric cyber resilience company, shows that organisations are focusing heavily on building holistic cyber resilience in the face of rising cyber attacks and the acute threat landscape. Cyber resilience as a package of measures can prevent cyber attacks on IT infrastructure - or ensure rapid recovery and secure continued operation of IT after an attack has occurred. It affects many parts of a company or organisation, not exclusively IT security teams. The study surveyed 570 cybersecurity and risk managers in the US, UK and Germany (companies with at least 1,000 employees).
Although 86 percent of the 570 security executives surveyed already have a cyber resilience programme in place at their companies, more than half of the respondents say there is a lack of a holistic approach to assessing cyber resilience. The most important areas of focus for companies are overall corporate strengthening, taking into account the entire workforce.Despite these efforts, 53 per cent of respondents say their employees are not adequately prepared to recognise and defend against potential future cyber attacks of any kind.
The study highlights the need for effective and modernised cyber resilience programmes that are not just tailored to cyber security teams. In many cases, companies express doubt that employees do not know how to specifically respond to cyber security incidents. As a result, the reliability of industry certifications and classroom training is questioned. Appropriate metrics for measuring their own cyber resilience are often not available at many companies, board and top management still often fail to recognise the urgency and need for action, and too few decision-makers (46%) still demand concrete evidence of the company's own resilience. The results of the study indicate that although the topic of cyber resilience has a high priority in the strategic orientation and sufficient training and programmes are available on the market, the existing structures and training methods are to be assessed as inefficient.
Findings of the study
- Ignorance among employees
46 percent of respondents believe that despite training, employees do not know how to deal with phishing emails.
Maintaining business operations without the failure of key IT systems, manually handling time-critical processes and avoiding the disruption of the recovery process by connecting compromised devices to the network are among the top priorities. - Too little training
Questioning the reliability of industry certifications and classroom training in building cyber resilience: while almost all companies support industry certifications, only 32 per cent consider them effective in mitigating cyber threats. Classroom training is offered too infrequently to be effective: Only 27 per cent of respondents say they attend training on a monthly basis. - Industry certifications not effective
While virtually all companies promote industry certifications, only 32 per cent see them as an effective means of mitigating current cyber threats. - Lack of metrics framework for measurement
46 per cent said they had no required metrics to demonstrate employee resilience in the event of a security incident. Only a tiny fraction of companies (6 per cent) have meaningful metrics to demonstrate the cyber resilience of teams to management, such as response times to remediate a vulnerability. - Lack of sensitivity at management level
In just under half of the companies surveyed (51 per cent), proof of cyber resilience was required of the cyber security teams by management. Raising board and executive awareness of the importance of cyber resilience is an important step in gaining more support.
What can be deduced from the results of the study?
The importance of a high level of cyber resilience has been recognised by companies - and corresponding measures are given a high strategic priority.
However, existing training approaches and programmes are not considered effective enough. 53 percent of respondents fear that their own employees are not sufficiently equipped against current and future cyber threats. Above all, there is a lack of suitable approaches to holistically strengthen cyber resilience and measure concrete resilience.
Consequently, it is not enough to follow the credo "once trained, always qualified". This is also confirmed by James Hadley, CEO and founder of Immersive Labs: "Despite all the classroom training and certifications, half of the respondents state that employees, cybersecurity teams and the company as a whole are not sufficiently prepared. It quickly becomes clear that current programmes need to be restructured to drive a successful cyber resilience agenda."
Companies that want to significantly increase their resilience to cyber attacks need to focus on continuously improving existing cyber defence capabilities. After all, even after significant technical investments in cyber security, hardly any IT managers can currently say with certainty how reliably the security team could detect, analyse and defend against attacks. In order for companies to remain capable of acting in the event of an incident, they need perfectly coordinated incident response readiness processes - and individual action catalogues to accelerate effective defence mechanisms. Incident Response Readiness Workshops are an important building block in the development of holistic cyber resilience.
Conclusion
The study shows: The topic of "urgently needed cyber resilience" has arrived in organisations and companies. However, currently implemented programmes and training courses are not considered sufficient; holistic approaches that increase resilience in its entirety are required.
One thing is certain: IT security is only as efficient as the people who operate the systems. Many of the real cyber dangers are caused unconsciously by employees - keyword social engineering. Only if all employees are really integrated into the company's security culture can the security awareness that is indispensable in today's world be achieved.
Companies that want to actively drive their cyber resilience agenda should focus on continuously assessing and improving their cyber capabilities and backing them up with robust data. Modern solutions for awareness training and employees who have the necessary know-how to confidently counter current and emerging threats in practice are needed.
Here you will find detailed information on our Cyber Security Workshop, test the efficiency and effectiveness of your behaviour in simulated attack scenarios.