Managing cyber breaches gets more complicated

The proportion of companies in Asia Pacific that are incurring financial impact of more than US$5 million from a cyber breach is higher than the global average according to Cisco’s 2019 CISO Benchmark Study.

The annual survey, now on its fifth year, finds 17 per cent of companies in the key markets of Australia, China, India and Japan saw a financial impact of more than US$5 million from their most severe breach in the past year.

This is more than double the global average of 8 per cent.

Across the Asia Pacific region, this figure is 16 per cent of companies, which is still measurably greater than the 8 per cent global figure.

However, Cisco says it is not all negative news.

The results of the study show that 39 per cent of companies in Asia Pacific were able to contain the cost of a cyber breach to below US$500,000.

This compares to 33 per cent in 2018, so a greater number of companies are experiencing breach costs in the lower categories.

The survey did not ask respondents for specific reasons behind an increase or decrease in costs, but the results highlight some trends that may have played a part, says Cisco.

For example, while cost to the business is clearly a focus, security professionals are changing the way they measure their success based on security outcomes.

Cisco says many respondents are moving toward remediation as a key indicator of security effectiveness.

The study highlighted that only 4 per cent of companies saw an outage that lasted more than 24 hours.

Studies have shown that the faster a company can remediate a cyber breach, the lower the financial impact, says Cisco.

It cites a 2018 study by management consulting firm A.T. Kearney which estimated that an almost instant detection of a cybersecurity breach within a large enterprise costs the business US$433,000.

If detection is delayed by more than a week, the figure triples to an average of US$1,204,000.

“Cybersecurity is a numbers game, one that is skewed in favour of malicious actors. Businesses need to win all the time, while attackers need just one successful hit to make an impact,” says John Maynard, vice president, global security sales organisation at Cisco.

Maynard says every time the attackers succeed, there is a financial impact on the company targeted. This includes out-of-pocket expenses, legal fees, reputational damage and loss of business.

“The fact that an increasing number of companies are being able to contain this cost is a sign that businesses are starting to gain more control and balance their risks when hit by a breach. While this is a move in the right direction, a lot more needs to be done,” he adds.

A buffet of security vendors

The study notes one of the big challenges that companies face is the difficulty in orchestrating alerts across multiple vendors and solutions in their security environment.

Cisco says while there is a trend for number of vendors and solutions going down, the multiple vendor solutions aren’t integrated, and therefore don’t share alert triage and prioritisation on limited dashboards.

The survey found that even CISOs with fewer point solutions could better manage their alerts through an enterprise architecture approach.

“We need to remember that cyber criminals are constantly working together and are relentless in their pursuits of hacking networks and inflicting damage on their targets,” says Stephen Dane, managing director, global security sales organisation, Asia Pacific and Japan at Cisco.

Defenders need to take a similar approach by collaborating more, sharing intelligence and ensuring they stay a step ahead of the attackers.

“The first step is to have strategic approach to building a comprehensive security environment and ensuring that the solutions are integrated and can work together to defend against potential attacks,” he states.

Training gaps

The study notes another gap in the organisation’s cybersecurity posture.

“If people and users are cited as the weakest link in security, having a process that starts with onboarding new employees is common sense,” says Cisco.

But, according to the survey results, just over half (51 per cent) of respondents rate themselves as doing an excellent job of managing human resources on security through comprehensive employee onboarding and appropriate processes for handling employee transfers and departures.

It also seems counter-intuitive that the trend for training staff in the wake of an incident is flat year-on-year at only 39 per cent of respondents, says Cisco.

Cisco says potentially there is room for improvement in this area when 61 per cent of organisations hold a drill or exercise every six months to test response plans to cybersecurity incidents.

“Drills can bolster the ability to have the proper controls in place to detect and respond as quickly as possible to mitigate damages,” it states.

Cisco says the 2019 survey was conducted by an independent research firm and covered many industries including retail, transport, manufacturing, financial services, as well as government and higher education.

The 3,259 respondents are full-time employees working in mid-market and large enterprises. The majority hold titles of CISO,  director/manager of IT and/or CTO, and 99 per cent of survey respondents have a team in their organisation dedicated to cybersecurity.

Get the latest on digital transformation: Sign up for  CIO newsletters for regular updates on CIO news, career tips, views and events. Follow CIO New Zealand on Twitter:@cio_nz

Send news tips and comments to divina_paredes@idg.co.nz @divinap