Many businesses not testing cyber security incident response plans

Out-Law News | 11 Dec 2014 | 3:41 pm | 2 min. read

A fifth of businesses have either not set out how they would respond to cyber security incidents or fail to ever test their procedures, according to a new report.

Trustwave's 'state of risk' report for 2014 (21-page / 2.70MB PDF) revealed the findings of a survey the information security provider commissioned into organisations' susceptibility to risk. It found that 21% of businesses have either no incident response procedures in place or never test them if they do.

A quarter of the 476 IT professionals surveyed said they test incident response plans quarterly and 36% said they tested them annually.

The report also revealed that 20% of businesses have no internal process that enables staff to report security incidents "immediately and without fear of reprisal" within their business. However, 74% of businesses have an up-to-date business continuity plan, it said.

Trustwave's report also highlighted the shortcomings of many organisations in facilitating the 'bring your own device' (BYOD) trend in a secure fashion. BYOD is a term used to describe employees' use of their own personal mobile devices for work purposes. Only 62% of businesses "have technical controls in place to allow employees to use their own devices", whilst just 67% have "policy controls" that govern BYOD activity, the report said.

The report said that 60% of companies are "fully aware of their legal responsibilities in safeguarding sensitive data". However, it said that more than a fifth of IT professionals surveyed said their company has never carried out security awareness training (21%), never held security planning meetings (23%), or required staff to "read and sign their businesses’ information security policy" (24%).

According to the report, 50% and 60% of businesses respectively run internal or external vulnerability scans on critical systems less than once every three months.

Jay Abbott, managing director of Advanced Security Consulting Limited, told Out-Law.com, however, that there is no single correct timeframe businesses can follow for running security scans.

"It is very easy to think that more often is better but it simply isn’t," Abbott said. "The frequency of scan should be calculated based on the amount of targets versus the level of known insecurity versus the time to fix. There is no point in a weekly scan of a large estate where the quantity of findings that arise equate to more fix time than exists between receiving the results and the next scan window."

"I recommend clients use automated scanning solutions as part of an overall  vulnerability management programme, but that the targeting, grouping, frequency and approach to the analysis and fix of the results is defined based on a logical approach to the problem and the desired outcomes. A vulnerability management programme that includes automated and manual testing strategies is a fundamental tenant  to any security programme and needs to be part of the overall risk equation," he said.

Trustwave's report also detailed mixed results in relation to the oversight board members or senior managers have of IT security issues.

Board members are fully involved in security matters at 40% of businesses and partially involved in a further 48% of companies, the survey found. Senior managers take a fully active role in security issues in 52% of businesses, and are partially active on those matters in a further 43% of organisations.

"Business must look at security as a business-as-usual imperative," said Michael Aminzade, vice president of global compliance and risk services at Trustwave. "Understanding their risk level is the first step. By identifying their largest security shortfalls and rectifying them, businesses can stay ahead of the criminals and decrease their risk of getting breached."