A survey commissioned by email security firm Mimecast and conducted by Vanson Bourne has revealed that even after GDPR’s introduction, more than half of UK firms have no Cyber Resilience Plan.
What Is A Cyber Resilience Plan?
An organisation’s cyber resilience is its ability to prepare for, respond to and recover from cyber-attacks, and a Cyber Resilience Plan details how an organisation intends to do this. Most organisations now accept that the evolving nature of cyber-crime means that it’s no longer a case of ‘if’ but ‘when’ they will suffer a cyber-attack. It is with this perspective in mind that a strategy should be developed to minimise the impact of any cyber-attack (financial, brand and reputational), meet legal and regulatory requirements (NIS and GDPR), improve the organisation’s culture and processes, protect customers and stakeholders, and enable the organisation to survive beyond an attack and its fallout.
More Than Half Without
Mimecast’s survey shows that even though 51% of IT decision-makers polled in the UK say they believe it is likely or inevitable they’ll suffer a negative business impact from an email-borne cyber-attack in the next 12 months, 52% still don’t have a cyber resilience plan in place.
Email is a critical part of the infrastructure of most organisations and yet it is the most common point of attack. It is with this in mind that the Mimecast survey has focused on the challenges that managing the security aspects of email present in terms of cyber resilience and in achieving compliance with GDPR.
One potential weakness that the survey revealed is that only 37% of UK IT decision-makers said that email archiving and e-discovery are included in their organisation’s cyber resilience strategy. When you consider that email contains a great deal of personal and sensitive company data, it’s protection should really be at the core of any cyber resilience strategy.
Also, for example, in relation to GDPR, not having powerful archiving systems to enable emails to be found and deleted quickly upon a user’s request could pose a compliance challenge.
Human error in terms of not being able to spot or know how to deal with suspicious emails is a common weakness that is exploited by cyber-criminals.
What Does This Mean For Your Business?
If the results of this survey reflect a true picture of what’s happening in many businesses, then it indicates that cyber resilience urgently needs to be given greater priority, particularly since it is now a case of ‘when’ rather than ‘if’ a cyber attack will occur. Also, the risks of not addressing the situation could be huge in terms of risks to customers and stakeholders and the survival of the business itself, particularly with the huge potential fines with GDPR for breaches.
E-mail, and particularly email archiving (what’s stored, where and how well and quickly it can be searched) poses a serious challenge. Businesses should reassess whether their email archiving strategy is effective and safe enough and security should go beyond archive encryption to guard against impersonation attacks and malicious links.
Bearing in mind the role that human error so regularly plays in enabling attacks via email, education and training in this area alongside having clearly communicated company policy and best practice in managing email safely should form an important part of a company’s cyber resilience.