Cyber Resilience Strategies Prove Their Worth

The events of the past year have put a premium on cyber resilience strategies to keep businesses up and running. As companies have fast-forwarded their digital transformation, decentralized work and redefined customer engagement, they’ve exposed more of their business to cybercriminals, who’ve leapt at the opportunity. Companies that take an ad hoc approach to the problem are at a clear disadvantage.

Two statistics from Mimecast’s new report, State of Email Security 2021 (SOES), underscore how businesses have gone virtual and sent cyber risk through the roof. Some 81% of companies have seen their use of email increase, as the primary means of both internal and external communications. At the same time, email-based security threats soared by 64%, remaining cybercriminals’ preferred mode of entry for attacks ranging from data theft to ransomware.

Cyber Resilience Strategies Deliver

Were some companies more prepared than others? The SOES research shows that 44% have a cyber resilience strategy in place — a group we’re calling the cyber-strategic companies. Nearly all the rest (54%) say they are at some stage of planning or rolling one out. (Mimecast’s SOES webinar on May 6 will delve into the obstacles they face; you can register here to attend.)

Cyber resilience strategies enable companies to adapt to shifting cyber risk, anticipate and withstand attacks, and recover quickly should one succeed. Effective strategies continually engage people, policies, processes and technology throughout the organization. They cover a range of technology, risk management, contingency, continuity and compliance planning.

How have companies with cyber resilience strategies fared in the past year? SOES 2021 results indicate that cyber-strategic companies have performed better than their peers in areas including the following:

• Business impacts: Cyber-strategic companies have more successfully evaded damage to their business. When questioned about a broad category including business disruption, lower employee productivity, data loss, financial loss, reputational damage and compliance issues, more than a quarter of them (27%) said they hadn’t experienced any of these impacts in the past year. That compared with 19% of all respondents and 13% of those without a cyber resilience strategy already in place. The number of cyber-strategic companies that experienced each of the specific issues listed above was up to 5% fewer than all respondents.
• Ransomware: Nearly half (46%) of cyber-strategic companies said they hadn’t been hit by ransomware, a leading threat today. That compared to 31% of those without a cyber resilience strategy. The cyber-strategic companies also tended to report less downtime due to ransomware: 27% recovered in less than a day, compared to 19% for all companies.
• Outages: 39% of cyber-strategic companies said they’d experienced no outages of Microsoft 365, the dominant business productivity platform, versus 26% of those without a cyber resilience strategy. One reason could be that 46% of companies with cyber resilience strategies in place have applied an added layer of security to M365, versus 21% of respondents without a cyber resilience strategy.
• Confidence: 35% of cyber-strategic companies don’t expect an email-borne attack to harm their business this year, compared to 28% of all companies. When it comes to collaboration tools such as Slack, 46% of cyber-strategic companies are very confident of security, versus 36% of all companies. Underlying their confidence, perhaps, is that a higher percentage of companies with cyber resilience strategies say they have a sufficient 2021 budget for security systems and staff.

A Work in Progress

Even cyber-strategic companies realize that more progress is needed as the landscape continues to shift. And while the 44% of companies with cybersecurity strategies in place represent an increase over 30% of companies in 2017, that leaves more than half today without a strategy. Meanwhile, 60% of all companies surveyed expect increasingly sophisticated attacks and 52% see a growing volume of attacks in 2021.

Notably, the risk of human error is frustrating even the cyber-strategic companies, who expect employees — especially those working remotely — to create vulnerabilities through errors using their personal email (72%) or “shadow IT” such as unauthorized applications (66%). This, despite their more frequent security awareness training, which 46% of cyber-strategic companies conduct monthly or more frequently (“on an ongoing basis”) versus 23% of respondents without a cyber strategy in place.

Innovation and automation are among the chosen approaches for many cyber-strategic companies to keep improving their resiliency. For example, half said they currently use advanced technologies such as artificial intelligence or machine learning to improve security, compared to 38% of all respondents. Cyber-strategic companies are also ahead of the pack in using the Domain-based Message Authentication, Reporting & Performance (DMARC) protocol to verify emails, as companies have awakened to the need to protect their brands online. Some 43% of them already use DMARC, compared with 26% of all respondents.

In addition, security leaders are working more closely with business teams to increase resilience, according to a new survey from PwC Research. “Going forward, a key factor for most organizations will be the orchestration of separate business continuity, disaster recovery and crisis management functions,” the group said.[1]

The Bottom Line

Many companies are stepping up their strategic thinking on cyber resilience and beginning to see it pay off. Yet more than half are still planning or rolling out their cyber resilience strategies. You can learn from your cyber-strategic peers’ progress in Mimecast’s recent SOES report and its upcoming webinar on May 11.

[1] “Global Digital Trust Insights Survey 2021,” PwC