In this era of heightened cybersecurity awareness, just 22 percent of companies have a comprehensive plan in place to deal with major incidents, a new survey said.
At the same time, 97 percent said they have been the victims of a digital attack, and 55 percent said they have seen an increase in cyber attacks, according to a new survey from KPMG and British Telecom.
“Our research is showing us that people don’t have a plan that they can turn to if they are under considerable attack,” said BT Americas CISO Jason Cook.
In particular, a good plan should include more than just the IT department, he said.
“Do you deliberately mention business functions that are not directly tied into cybersecurity?” he asked. “What does the legal team do? How does vendor management get involved? How do you communicate with partners and customers?”
In the dynamic, evolving security world, the plan cannot be set in stone, it has to have the ability to remain fluid.
In addition, the survey also found only 23 percent of respondents have adequate cyber insurance in place.
“The rest have either no cyber insurance, or have inadequate cyber insurance,” Cook said.
Cyber insurance can typically cover loss and damage to digital assets, business interruption costs associated with system downtime, direct financial losses associated with a cyber fraud or extortion attempt, provision of specialist support to incident management and forensics and investigation, and provision of reputation management services, said David Ferbrache, technical director for cyber security at KPMG.
Companies should also look for coverage related to problems that relate to their business partners.
“This might cover the damages associated with a security breach which impact a third party such as the inability to meet contractual obligations,” Ferbrache said.
Insurance policies may also cover specifically things like physical damage that results from cyber attacks on industrial control systems.
“This has been an issue for oil and gas firms and industrial manufacturing firms,” he said.
According to the survey, 51 percent of companies also had no strategy for dealing with ransomware and other types of blackmail, Cook said.
The report emanated from a survey of 100 CISOs, CIOs and other IT executives at Fortune 500 companies in the U.S., the UK, Singapore, India and Australia.