Businesses are less prepared for cyber threats than they think

Threats to your company’s systems are always out there – from scammers, to hackers, to data breaches and outages. But when it comes to preparing for these incidents and their fallout, many companies take the approach of “we’ll deal with it if it comes up.”

That can be a huge mistake.

Types of incidents

A recent study by The Economist Intelligence Unit looked at how companies prepare (or don’t prepare) for cyber incidents. They interviewed 360 executives and spoke with experts in the field.

More than three-quarters of respondents said their organization had suffered a cyber incident in the previous two years.

But cyberattacks, which are among the most feared kind of incident, weren’t the most common. The two most common incidents were:

  • accidental major systems outages (29%), and
  • loss of sensitive data by an employee (27%).

Rounding out the top five:

  • malicious disruption of systems (24%)
  • theft of data by employee (18%), and
  • intellectual property theft by an employee (11%).

State of preparations

With so many respondents having experienced outages or knowing the fallout they can have (see the Target and Adobe breaches), it’s perhaps surprising how many companies don’t have an incident response plan outlined. According to the survey, only 61% of companies had a formal incident response plan in place (24% were in the process of planning one) and 65% had a formal incident response team (with another 18% saying they were in the process).

These plans aren’t an abstract idea in case of an unthinkably rare event. According to the survey, 30% of respondents said they saw more cyber incidents last year than in previous years.

The fact is, companies are being hit with major incidents. And plans are needed to address these.

But if you ask most companies, they feel just fine about their incident response: 73% indicated they were at least somewhat prepared for an incident. Seventeen percent said they were fully prepared.

Forming (or improving) a team

If you don’t have an incident response team, you’ll want to get right on forming one. If you do have one, chances are it could use a tune-up.

The first step is determining who should be involved. Most teams will consist of:

  • IT and IT security. Chances are you’ll be called on to take the lead in the wake of an IT disaster. That’s probably how it should be. Be prepared to handle the discovery of the incident, the immediate fix, communicating the problem to others and starting work on preventive measures to keep it form happening again.
  • General management. You’ll want other managers and department heads to be made aware of the issue so they can inform users you’re on it and working on a solution. If nothing else, they will be a go-between for you and users.
  • Finance. The average cost of a cyberattack is $12M. For small businesses, that’s obviously a high figure, but your finance team should know they could be looking at a significant loss in data, resources or reputation.
  • HR/legal. Depending on your industry, data breaches may have to be reported. Inform legal reps of the incident right away.

It’s perhaps a good idea to note: Firms that suffered an incident in the past two years were almost twice as likely to have an arrangement with a third-party expert than those who didn’t.

That could signal those who have been through the fire see a value in going outside the organization. Whether that’s right for you or not may not be something you know until you’ve walked in their shoes (and here’s hoping you’ll never have to).

The best incident response resource: Users

One final note: If you’re looking to improve your incident response team (and, indeed, prevent incidents in the first place), user training is the way to go.


Users were the group that found incidents first most often. Employee vigilance tied with routine checks (46%) were the means by which companies were first alerted to incidents. And executives indicated that a better understanding of threats and awareness of preparations were the best ways to be prepared for a cyber incident.

Goes to show: Training will pay off.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy