NEW YORK, Oct. 16, 2018 /PRNewswire/ -- Nearly half (46 percent) of executive-level respondents to a Deloitte poll say their organizations have experienced a cybersecurity incident over the past year, with more than 1,500 surveyed professionals feeling only "somewhat confident" in their organization's ability to respond to and remediate a cyber incident.
With cyber-crime expected to reach $6 trillion annually and no indication of a slowdown in cyber threats, the Deloitte poll taken during a webcast on cyber preparedness and wargaming exposes a still siloed approach to cybersecurity that can be harmful to organizations. Everyone has a role to play in cyber awareness and in their own organization's incident response; yet, 30 percent of CEO and executive-level respondents identified their biggest challenges when reacting to a cyber incident as the lack of employee understanding of the organization's cyber incident response plan, with 20 percent reporting a lack of resources such as funding, tools, and skills as the biggest challenge.
"We used to say it's 'not if, but when' an organization will experience a cyber incident. That message has evolved well beyond a single incident to 'how often' or 'how to respond to and withstand persistent attacks,'" said Andrew Morrison, principal, Deloitte Risk and Financial Advisory Cyber Risk Services, Deloitte & Touche LLP. "Improving internal processes and providing employees with the knowledge, practice and skills needed to succeed can help organizations mitigate risk through preparedness, as well as increase overall business resilience to future attacks."
Forty-nine percent of executive and C-level respondents to the poll admitted that their organization does not conduct cyber wargaming exercises, with more than one-third (34 percent) indicating that they do not know their individual role within their organization's cyber incident response plan. These findings are consistent with Deloitte's recently released CEO and Board Risk Management Survey, which identified cybersecurity as the biggest threat to organizations —and yet only 25 percent of the 400 CEOs and board members surveyed said their organizations are actively wargaming or scenario planning for cyber incidents.
"Cyber wargames are an important way to raise awareness of the latest cyber risks and attack types, as well as cyber risk management and adaptive response capabilities an organization needs during, after, and preparing for the next cyber incident," said Daniel Soo, cyber wargaming leader for Deloitte cyber risk services, and Deloitte Risk and Financial Advisory principal, Deloitte & Touche LLP. "The most impactful wargames are those that use live knowledge of an organization's current threat environment to support the decision-making process across operations, finance, regulatory, marketing, and beyond."
A typical wargame allows participants to hone organizational reflexes and collaborative judgment capabilities required to avert or reduce a cyber incident crisis with real-time injects and threat vectors that mirror those an organization would likely encounter. For organizations looking to incorporate cyber wargaming into their incident response planning program, Deloitte offers the following lessons from the field:
- Focus on learning objectives to understand what your organization needs at its current level of maturity.
- Involve a broad group of participants to mature more quickly. While running exercises amongst specific executive and functional teams is important, identifying intersections between different teams and mixing siloes creates a more realistic dynamic.
- Keep it simple at the start. The minutia of daily work environments won't disappear during a cyber incident, but can distract and detract from the lessons learned during a wargaming exercise. When your organization is just getting started with wargaming, gathering participants in one place can be valuable to set the stage.
- Plausibility is crucial. Identifying a realistic scenario with realistic vulnerabilities drives real actionable results.
Deloitte Cyber Risk Services has conducted hundreds of cyber wargaming exercises over the past several years, with organizations now repeating exercises and testing new scenarios as often as six to eight times per year. This shift in cyber preparedness is consistent with the number of companies that are aligned across industry organizations that practice their collective cyber response and information sharing procedures. Examples include: simulations such as the financial industry's SIFMA Quantum Dawn exercises; Cyber RX in the healthcare industry; as well as Cyber Storm, a biennial cyber exercise sponsored by the Department of Homeland Security that spans industries.
About the online poll
More than 3,150 professionals across industries and positions participated in and responded to poll questions during the Deloitte Dbriefs webcast, Cyber wargaming: Building cyber resilience in an era of cyberattacks held May 31, 2018. Respondent organizations include accounting (40 percent); finance (20 percent); auditing (20 percent); regulatory compliance (4 percent); tax (3.6 percent); risk (2.4 percent); information technology (1.8 percent); analytics (1.7 percent); operations (1.5 percent). Answer rates differed by question.
Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world's most admired brands, including more than 85 percent of the Fortune 500 and more than 6,000 private and middle market companies. Our people work across more than 20 industry sectors to make an impact that matters — delivering measurable and lasting results that help reinforce public trust in our capital markets, inspire clients to see challenges as opportunities to transform and thrive, and help lead the way toward a stronger economy and a healthy society. Deloitte is proud to be part of the largest global professional services network serving our clients in the markets that are most important to them.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the "Deloitte" name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.