Cyber resilience programs falling short on preparing workers for a crisis

Dive Brief:

Corporate programs designed to boost the cyber resilience of employees are falling short on their goals, with more than half of cybersecurity leaders saying their workforce is not prepared for an attack, according to an Osterman Research report sponsored by Immersive Labs.
At two-thirds of organizations, there is a fear that almost all employees, 95%, will not understand how to recover following a cyberattack. Priority tasks might include operating without core IT systems and switching to manual processes to get important tasks completed.
“There is an unfortunate disconnect between leaders’ confidence in team preparedness and real cyber resilience,” Max Vetter, VP of cyber at Immersive Labs, said via email. “This is because legacy training measures attendance, not real capabilities.”

Dive Insight:

The report comes at a time when companies are being urged – and in many cases required – to rethink their cyber governance and resilience capabilities.

Government regulators and insurance companies are increasingly holding companies accountable for how they manage customer data and how they manage key governance issues. They are examining a range of practices, including cyber awareness training, cyber hygiene, incident response and board oversight over data security practices.

Insurance companies are calibrating insurance premiums and underwriting criteria on how well companies manage their security programs.

However, the report indicates companies are offering training too infrequently and raises questions about the real value of industry certifications.

The report also shows that companies need to get their boards of directors more involved to drive accountability, but in many cases that oversight isn’t quite there.

The survey, conducted by Osterman Research, is based on a survey of 570 senior-level security and risk leaders in the U.S., U.K., and Germany at companies with at least 1,000 employees.