“Business resilience” is the modern evolution of what was once known as “business continuity”, the change in terms precipitated by the global connections and always-on culture of the internet. When you boil the concept down, it’s basically a form of disaster recovery planning. Given the ever-present threats of hacking and disruption of online services, “recovery” isn’t good enough anymore; businesses have to harden themselves against an expectation of continual cyber security incidents that are potentially ruinous if successful – thus the need for a cyber resilience posture.
A new study from security services company Tanium indicates that businesses overwhelmingly believe that cyber resilience and business resilience is fundamental, but findings suggest that they are having a great deal of trouble achieving it.
The cyber resilience survey
The Tanium study included key decision makers at over 4,000 businesses located in the United States, Japan and throughout Europe. All companies surveyed had at least 1,000 employees.
96% of those surveyed agreed that cyber resilience should be a core component of their strategy for long term growth and stability, but only 54% felt certain that it currently is.
A number of barriers to achieving to cyber resilience were cited, many of which are familiar:
Too much organizational complexity (34%)
A feeling that hackers are more sophisticated than the company’s IT staff (33%)
A “siloed” organizational structure (20%)
Additionally, over a fifth of the companies surveyed felt that poor visibility at cyber entry points and lack of ability to detect attacks in real time are also significant barriers.
There were also serious questions about who ultimately owns the responsibility for cyber resilience in the organization. 30% felt it was up to the head of the IT department or the Chief Information Officer, 23% diffused the responsibility across every member of the organization, and 13% put it on the shoulders of the CEO.
Companies also appear unprepared to deal with the fallout should they experience a data breach. 33% did not believe they could calculate the actual cost of any breach, and 28% did not have a good sense of what response and recovery efforts would set them back. 29% were also not sure what the exact cost of a breach of protected personal data might be.
It is fair to say that Tanium has some natural bias here, as they are selling a comprehensive security platform meant to be an all-in-one out-of-the-box solution for businesses that currently use multiple tools to solve their issues. However, that doesn’t decrease the salience of the responses, or diminish the fact that businesses are indeed tending to rely on an unruly patchwork of endpoint solutions for securing and managing their networks.
The C-suite as security threat?
The Tanium survey also indicates that the executive ranks are frequently lacking the business resilience knowledge and posture the company requires. Of the CIOs and CISOs surveyed, 94% felt they had to make compromises due to business and operations challenges.
To some degree, that’s a natural result of standard business risk management. However, it’s not always a matter of costs and resource distribution. 81% of these CIOs/CISOs have held back a security update due to worries about adverse effects on business operations, and 80% reported having signed off on a critical update but later finding that it had not deployed across all devices for some reason.
The reasons for these decisions are varied, but are all things that could be addressed. Reasons cited include difficulties in implementing policy updates on legacy pieces, a tendency to prefer implementing new systems when an existing component develops a vulnerability, and internal company politics.
The end result at many companies is a “Frankenstein’s monster” patchwork security policy, assembled over time by inconsistent components and a lack of visibility and control between discrete business departments as they purchase multiple tools.
As the Tanium resilience gap study points out, companies spend over one trillion dollars per year on digital services and business components. New components develop at lightning speed, however, as do new cyber threats. If a company does not have a comprehensive and cohesive cyber resilience strategy in place, the end result is usually one of these Frankenstein systems that becomes increasingly vulnerable over time.
The unique considerations of modern business resilience
An important component of cyber resilience is the need to protect the personal information of customers and employees in the digital environment. It is widely believed that regulation in the manner of Europe’s General Data Protection Regulation (GDPR), with its potentially massive fines for companies that do not adequately secure personal information, is going to become the norm across the countries included in this survey. It’s not hyperbole to say that a personal data breach could be a crippling or even fatal blow to a small-to-medium sized business in such a regulatory environment; there are studies that indicate that 60% of businesses of this size fold within six months of being hacked.
It’s becoming increasingly critical for businesses to scrutinize not only their own cyber resilience state, but that of their various suppliers. Not only is there the threat of a crippling supply chain disruption, but also the possibility that outside vendors with access to company networks may become an attack vector – as was the case in the major hacks of Target, Experian and the Russian hack of the United States power grid.
A traditional part of business risk management is assessing consequences, and a reality of it is that consequences are sometimes considered acceptable as compared to the costs of curtailing the threat. When it comes to achieving business resilience, it would appear that many companies may be underestimating (or even entirely unaware of) the full consequences of a breach. Unfortunately, the cost of learning this lesson the hard way for SMEs could very well be the complete loss of the business.