Survey Finds Lag in Crisis Response Planning

A recent survey from security firm Immersive Labs found that many organizations don’t hold crisis simulations more than once a year, and the majority of organizations when holding such exercises only do so with IT teams.

The study, conducted by Osterman Research, is based on a survey of senior security professionals at 402 organizations based in the U.S. and UK. According to the survey, “Cyber Crisis Response: Fit for Today’s Threat Landscape,” 40% of respondents are not confident that their organization would be able to handle an imminent data breach.

A quarter of those surveyed said that they run crisis exercises without including senior cybersecurity leadership, and only 20% included communication teams. And about half of those surveyed said that they don’t include professionals from various domains in their incident response exercises and of those organizations that do tap professionals across business units, they said they only meet once a month.

According to the survey, 42% of respondents don’t have regular cross-team incident planning and over one-third only hold simulations every year—or longer. And in 59% of organizations surveyed, members of the C-suite aren’t present, while 80% conduct their crisis simulations without members from the communications team. Nearly 90% don’t have a representative from customer-facing groups.

The survey also found that there is an unwarranted over-reliance on the incident response plans in place, which has harmed confidence in organizations’ incident response capabilities. This was demonstrated in the survey: 61% of respondents believe that having an incident response plan in place is the most effective way to prepare for security incidents and about 40% of respondents said that an incident response plan provides more value than traditional tabletop exercises. Yet, nearly 40% of those asked said that their last such exercise failed to inform any changes from business leaders.

A surprising number of respondents—60%—indicated that they believe that the best way to prepare for an incident is to buy more technology.

These exercises don’t come cheap, with respondents indicating that they spent greater than $30,000/£24,000 on their last exercise, with nearly 20% of respondents saying that they spend more than $50,000/£40,000. Staff time is the most expensive part of these drills.

The study also found that pandemic makes the human aspect of incident response more difficult. One-fifth of those surveyed said that they find it impossible to include those in other geographies remotely, and only 15% said that they bother to work on stress-testing how their people are ready to respond to incidents.

Finally, the survey found ransomware continues to take off. According to the report, businesses detected 365% more ransomware from the second quarter of 2018 and the same period in 2019. And international organizations witnessed a 148% increase in ransomware attacks during the pandemic.

While most organizations conduct their tabletop exercises with multiple scenarios, the most common include data breaches, ransomware attacks and spear phishing.