Weak and infrequent cyber-crisis training is leaving companies vulnerable, new research says

Companies are too reliant on dated software, the most essential-to-crises staff aren’t required attendance at cybersecurity training, and the pandemic exacerbated problems, according to a new report.

tech race tech training

Image: iStock

Business leaders cannot reconcile prepping for crises with a desire to build effective cyber-crisis response functions. A new Osterman Research study conducted with Immersive Labs surveyed senior security leaders at 402 different US- and UK-based groups.

SEE: Navigating data privacy (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

Coronavirus impact on cyberattack preparedness

Detection of ransomware in business environments rose by 365% between Q2 2018 and Q2 2019 and, thanks to COVID-19, global companies saw 148% spike in ransomware attacks

Most businesses are not confident in their IR (incident response) preparedness, yet the majority (61%) said having an IR plan is “the single most effective way to prepare for a security incident.” As they rely too heavily on this now-dated plan, respondents declared an IR plan more effective than table-top crisis exercising. Almost 40% of senior security leaders said that when they held crisis exercises, there was inaction from the business and those most critical in crisis were missing in cybersecurity training.

In-house and modernized cybersecurity

There is a critical need for more in-house, modernized cybersecurity training, not just within the security department, but across the company. “Dusting off the three-ring binder crisis plan does not cut it today,” said James Hadley, CEO of Immersive Labs in a press release. “In the first 30-minutes of a crisis, it is highly unlikely you’re thinking of your plan. It’s the real-life, crisis simulation training that prepares organizations to effectively respond to security incidents. Micro-drills, or very focused exercises, designed to address particular risks, must make their way into the mix. Much like exercising to stay fit, this needs to happen with regularity in dynamic environments, and involve all the right people, in order to keep current and be effective.”

Business leaders’ misplaced focus

The very real threat of looming attacks from hackers appears to business leaders as less of a critical issue, because many company leaders put too much confidence into the business’ cyber-crisis preparation than is deserved, or necessary. Company security systems fail to adapt to modern threats, and this has resulted in nearly 40% of security leaders without any confidence in responders. 

SEE: Incident response policy (TechRepublic Premium)

Company communication team members participated in only 20% of crisis exercises, yet there weren’t any senior cybersecurity leaders present. This means that the people who will be more relied upon in a crisis situation (25%) haven’t even attended security training with colleagues. 

Security leaders (47%) are more preoccupied with brand impact than share price (24%) or liquidity (27%). Nearly 50% of respondents said their companies don’t have a cross-disciplinary cyber-crisis group. Of those that do have such groups, only 17% met monthly.

The trouble with telecommuters

Remote offices and their staff create problems because 20% of respondents said it is “impossible” to effectively involve them. Many companies overlook “the human element of the cyber equation” in crisis response exercises: Only 15% focused on stress-tests on human-cyber readiness. 

Setting the focus straight

More than a third of organizations simply do not comprehend the quick pace of the threat landscape, so they let one or more years go by between cyber-crisis simulations, and 42% do not have regular cross-team incident planning. 

Instead, crisis exercises are confined to technical teams:

  • With 59% missing a member of the C-suite
  • 80% run without communications function
  • 87% neglecting customer teams
  • Only 2% of businesses have run incident response scenarios related to pandemic response

Security leaders, the report recommends, need to focus on the people in the company and avoid reliance on technology investments. It seems easier to throw money at problems, and nearly 60% of those surveyed said the best way to prepare for a crisis is to buy more tech. More of those same leaders are more concerned about covering themselves legally (38%) than conducting effective tabletop exercises and fire drills (32%) to train teams. 

SEE: Identity theft protection policy (TechRepublic Premium)

More than a third of organizations surveyed space tabletop exercises a year or even two years apart, despite that, most (65%) involve a review of PowerPoint slides, which are nearly 20 times more common than practicing simulations. Most (64%) conducted three or fewer scenarios during their most recent exercise. 

“If you did your ransomware training in January, you’re likely five ransomware techniques behind the curve now,” Hadley said in a press release. “With three-quarters of organizations agreeing that business continuity was at the forefront of their minds, it is time to close the gap between attackers and defenders and shake up the outdated status quo. This requires faster, shorter crisis drills run with the people you will be standing shoulder to shoulder with when the worst happens. Crisis exercises must be made more contemporary.”

Sharpening awareness

Immersive also announced the release of the Cyber Crisis Simulator, delivered through a browser, and provides a resource for consistently improving and measuring cyber awareness. Security personnel can continually test their businesses’ reactions to up-to-date actual cyber attacks, and is designed for security departments and cybersecurity specialists, but also for the company’s communications and legal teams. 

Also see