With WannaCry still fresh in our minds, it is clear that the cyber-threat is very real. Business continuity plays a key role in responding to an incident such as this, and ensuring that the organisation is able to manage any disruption and prevent it from turning into a crisis.
The Cyber Resilience Report put together by the Business Continuity Institute (BCI) and Sungard AS surveyed 734 respondents from 69 countries, most of which were from Europe (36 percent), Asia (35 percent) and North America (10 percent).
Sixty percent of senior management cited a high commitment to cyber-resilience and 87 percent of organisations have business continuity arrangements related to cyber-resilience. Almost a quarter (23 percent) reported involving Business Continuity Management (BCM) teams for cyber-resilience issues.
“Cooperation is key to building cyber and organisational resilience. Different disciplines such as business continuity, information security and risk management need to come together, share intelligence and start speaking the same language if they want to build a safer future for their organisations and communities,” said David Thorp, executive director at the BCI, in a release.
Nearly two-thirds of respondents (64 percent) experienced at least one cyber-disruption during the previous 12 months. Meanwhile, 15 percent had experienced at least 10. Of those who had experienced a cyber-disruption, over half (57 percent) revealed that phishing or social engineering had been one of the causes.
A third of respondents (33 percent) suffered disruptions that totaled more than €50,000 (£44,000), while more than one in 10 experienced losses higher than €250,000 (£220,000).
One in six respondents reported a single incident that resulted in losses of more than £44,000. Nearly one fifth of respondents working for an SME reported cumulative losses of more than £44,000.
The top causes of cyber-disruption include phishing and social engineering (57 percent), malware (41 percent), spear-phishing (30 percent), denial of service (20 percent), out-of-date software (18 percent) and ransomware (18 percent).
“Cyber issues have to be included in existing processes (such as incident communication plans) rather than developing specific parallel processes just for cyber. There is a need to move from an event based approach (cyber-security) to a resilient cyber-strategy (cyber-resilience) that includes a plan for events in the same way that BC includes DR (disaster recovery),” said a respondent in the report.