77 Percent of Businesses Have No Cyberattack Response Capability

Did you know that lean­ing into your cyber risks can be a source of com­pet­i­tive advan­tage? Here’s a stun­ning data point that makes my case.

The NTT Group (Japan­ese AT&T) recent­ly released their 4th annu­al Glob­al Threat Intel­li­gence Report (GTIR). Sim­i­lar to the recent­ly released Ver­i­zon Data Breach Inci­dent Report, the NTT report…

…ana­lyzes attacks, threats and trends from the pre­vi­ous year, pulling infor­ma­tion from 24 secu­ri­ty oper­a­tions cen­ters, sev­en R&D cen­ters, 3.5 tril­lion logs, 6.2 bil­lion attacks and near­ly 8,000 secu­ri­ty clients across six con­ti­nents.

Here’s one of their most strik­ing find­ings for 2015:

Trend data over the last 3 years illus­trates on aver­age only 23 per­cent of orga­ni­za­tions are capa­ble of respond­ing effec­tive­ly to a cyber inci­dent. 77 per­cent have no capa­bil­i­ty to respond to crit­i­cal inci­dents and often pur­chase inci­dent response sup­port ser­vices after an inci­dent has occurred.

You can find this sup­port­ing chart on page 47:

Screenshot 2016-05-02 07.50.21

My ini­tial reac­tion is that exec­u­tives are plan­ning for cyber attacks as they do for 100-year floods: We’ll deal with it, if it ever hap­pens.

Giv­en the fre­quen­cy and sever­i­ty of the attacks doc­u­ment­ed in the rest of the report, and all over the news media, that’s not lined up at all with the real­i­ty of today’s cyber risks!

But back to the oppor­tu­ni­ty for com­pet­i­tive advan­tage: What if your fiercest com­peti­tor was a mem­ber of the 77% and was cyber-attacked? They could expect to bleed cash and be dis­tract­ed for months. Now what if you were one of the 23% able to effec­tive­ly respond to a major cyber­se­cu­ri­ty inci­dent? How would that boost dig­i­tal trust with your cus­tomers and part­ners? How much rep­u­ta­tion would you save by hav­ing your experts get out in front of the sto­ry? And, how much more quick­ly could you get back to work­ing on what’s most impor­tant to your busi­ness?

By the way, if you want a glimpse at data breach response done very well, check out this cri­tique of Anthem Blue­Cross BlueShield­’s 2015 data breach. If you want to see a poor­ly done exam­ple, here’s a cri­tique of Talk­Talk’s slow, awk­ward response.

Which one would you rather be?

Please note: I reserve the right to delete comments that are offensive or off-topic.