● Companies that are successful in withstanding a cyberattack (displaying a ‘high resilience-quotient’) master three essential capabilities. They:
- have a full inventory of assets and refresh as needed (91%)
- have identified their critical business services (73%)
- have mapped impact tolerances to both critical and non-critical business services (61%)
● Although 69% of Belgian CEOs are worried about cybercrime, no less than 75% believe that their organisation can withstand a cyber attack, suggesting there is still a long way to go in terms of raising awareness.
22 October 2019 - Ransomware is the fastest growing cyber threat with an average of more than 4,000 ransomware incidents occurring daily, according to the US’s Federal Bureau of Investigation (FBI). “Good enough” just isn’t enough anymore when it comes to protecting data and information. In the latest PwC’s Digital Trust Insights study, PwC asked 3,500 business and IT leaders around the world about their digital resilience.The goal was to determine which companies are prepared to withstand and recover quickly from a cyber attack as well as to understand how these operations have developed this expertise. The results show that businesses with the most mature strategies are also the most likely to have revamped resilience plans in the face of new “very significant” threats.
Introducing resilience by design
PwC reports that 25% of the global respondents fit in the highly resilient quotient group (high RQ). These companies are more likely than other respondents to have revamped strategies in the face of new threats. This high-resilience quotient (high-RQ) group has shifted their mindset away from traditional disaster recovery model to ‘resilience by design’ This more expansive approach involves gaining real-time views of higher-priority processes so that decision makers and responders can react to incidents in concert, with minimal harm to the business. In essence, they focus on three areas:
- visibility into critical processes, assets and dependencies;
- defining and testing how much disruption their organisation can tolerate;
- building digital resilience by design
Businesses in the high-RQ group are more likely to have revamped strategies in the face of new, “very significant” threats (59% vs. 31% of the rest of the survey respondents). They’re also more confident that they can manage emerging risks that test cyber resilience (73% vs. 24%).
Confirming the CIS Controls™ top 20
Without understanding how data assets and processes are connected to core business services and their interdependencies, an organisation can’t know which systems or assets to isolate in case of an attack. The most striking difference between the high-RQ group and the rest is this: 91% of high-RQ companies maintain an accurate inventory of assets and refresh the list as needed, compared to only 47% of the rest.
“The results of our research confirm the top two of CIS Top 20 Critical Security Controls™ to protect an organisation and data from known cyberattack vectors: firstly, build and maintain an inventory of devices and secondly, build and maintain an inventory of software,” says Ingvar Van Droogenbroeck, partner and Cyber & Privacy leader at PwC Belgium. “We also focus on these controls when working with clients that are building information management systems in accordance with the ISO 27001 information security management standard.”
Only as strong as the weakest link
For large enterprises, IT assets run in the millions and connections in the hundreds of millions. But there are technologies to map critical assets and processes in-depth. More than half of high-RQ entities have automated their inventory and mapping processes, compared to only 10% of the rest.
“Too often, organisations don’t have an accurate and complete overview of their IT estate, let alone the dependencies within and between assets, and therefore lack an understanding of which are critical for their operations. If then there is a major setback, recovery will be difficult and costly,” explains Ingvar Van Droogenbroeck, partner and Cyber & Privacy leader at PwC Belgium. “If there are hardware or software components that you’re unaware of in your system, it’s unlikely they are fully patched or properly secured, making them an easy entry point to your entire infrastructure.”
It’s worth noting that 73% of the high-RQ group have identified their most important business services, while only 27% of the rest have done so. Organisations must set limits on the duration and the cost they’re willing to bear - their impact tolerance. In too many cases, organisations also have no strong business continuity plan in place. Because priorities differ by department, what is really critical may then need to be identified during the crisis, complicating and extending the recovery.
Belgian CEOs are also increasingly concerned. This was also confirmed that 69% of Belgian CEOs are worried about cybercrime as shown by our latest CEO Outlook survey 2019. 72% of Belgian CEOs recognise that their organisation or company could potentially become a target for geopolitical cyber activities. No less than 75% of Belgian CEOs believe that their company or organisation can withstand a cyber attack. This certainly suggests that there is still a long way to go in terms of raising awareness.
“Worse still, in many organisations documentation is lacking or not update-to-date. If information resides with only one or two key individuals, your survival may depend on the availability of those people during the crisis,” Ingvar Van Droogenbroeck says.
View the Digital Trust Insights September 2019 report here.
+32 490 582 284