Why organizations often have trouble containing cyberattacks

Many companies are hampered by the use of too many security tools and the lack of specific playbooks for common attacks, says IBM Security.

Cybersecurity and secure nerwork concept. Data protection, gdrp. Glowing futuristic backround with lock on digital integrated circuit.

Getty Images/iStockphoto

Organizations often spend a lot of time, money, and resources on cybersecurity. Why then are cyberattacks frequently still successful? A report released Tuesday by IBM Security serves up some answers to that question.

SEE: Security Awareness and Training policy (TechRepublic Premium) 

Based on a survey commissioned by IBM Security and conducted by the Ponemon Institute, "The 2020 Cyber Resilient Organization Study" found that organizations have gradually improved their ability to plan for, detect, and even respond to cyberattacks over the past five years. Some 26% of the respondents said they've adopted formal, enterprise-wide security response plans during this time, up from just 18% in 2015. However, the ability of organizations to contain an actual attack dropped by 13% over the past five years, which IBM Security attributed to several factors.

First, though response planning has been getting better, 51% of respondents said that their Computer Security Incident Response Plans (CSIRPs) were informal or ad-hoc, or simply not applied consistently across the enterprise. This lack of consistency translates into real money. Organizations that have incident response teams and extensively test their response plans spend an average of $1.2 million less on data breaches than those who don't have these methods in place, according to IBM.

Second, instead of having too few security products, many organizations have too many. Almost 30% of those polled said they use more than 50 separate security solutions and technologies, while 45% use more than 20 tools to investigate and respond to a cybersecurity incident. Further, many said that each incident to which they responded required coordination across an average of 19 different tools.

A glut of security tools can actually hamper an organization's ability to combat an attack. Among the respondents, those who use more than 50 security tools ranked themselves lower in their ability to detect and respond to an attack. Beyond reducing the number of security products, using open and interoperable platforms along with automation technologies can cut down on this type of complexity. A majority of those surveyed said that the use of interoperable tools helped them improve their response to cyberattacks.

Third, even among organizations with a CSIRP, only 33% had playbooks for specific types of attacks. Among those, the most common playbooks were for DDoS attacks and malware. With ransomware on the rise, less than half of organizations with playbooks had one designed for a ransomware attack. Having predefined playbooks to counter common types of attacks provides organizations with a consistent and repeatable plan of defense.

"While more organizations are taking incident response planning seriously, preparing for cyberattacks isn't a one and done activity," Wendi Whitmore, vice president of IBM X-Force Threat Intelligence, said in a press release. "Organizations must also focus on testing, practicing, and reassessing their response plans regularly. Leveraging interoperable technologies and automation can also help overcome complexity challenges and speed the time it takes to contain an incident."

To improve your organization's defense methods against cyberthreats, IBM Security recommends the following steps:

  • Implement an enterprise-wide Computer Security Incident Response Plan (CSIRP) to minimize business disruption. But just having a CSIRP is not enough; it should be implemented across the organization and reviewed on a regular basis. As the volume and severity of attacks increase year after year, the lack of an updated CSIRP may increase the risk of experiencing significant disruption to IT and business processes.
  • Tailor response plans to specific attacks in your industry. Cybersecurity attacks come in many forms. Organizations can strengthen their security postures by understanding the top threats in their industries and preparing detailed response plans to help ensure team members know the steps needed to investigate and remediate a specific attack.
  • Embrace interoperability to increase visibility and reduce complexity. As organizations navigate complex security environments, the most effective teams leverage interoperability to increase the visibility of tools and data to help prevent and detect attacks. Approaches that streamline workflows help increase the productivity of the security operations center.
  • Invest in technologies to accelerate incident response. Technologies such as automation, analytics, artificial intelligence, and machine learning as well as cloud services were leading reasons organizations improved their cyber resilience. Automation, in particular, helps companies improve operational efficiencies and reduce team churn by freeing up time to focus on the high- value tasks needed to investigate and respond.
  • Align your security and privacy teams. Organizations with stronger cyber resilience recognize that security and privacy go hand-in-hand. Eliminate silos and encourage a culture of collaboration to more effectively respond to data breaches. Bringing the security and privacy teams together early and often will improve security posture sooner than if they work together for the first time during a massive security incident.
  • Formalize C-level/board reporting to raise the visibility of the organization's cyber resilience. Business leaders recognize that cyber resilience affects revenue and reputation. Thus, keeping cyber resilience performance front and center is imperative to ensure it receives the required level of investment and resources.

Conducted by the Ponemon Institute and sponsored by IBM Security, the 2020 Cyber Resilient Organization Report elicited responses from more than 3,400 security and IT professionals from around the world, including the US, UK, India, Germany, Brazil, Japan, Australia, France, Canada, ASEAN (Association of Southeast Asian Nations), and the Middle East.

Also see