Companies failing to plan for many cyber dangers

Only 22 percent of companies have a comprehensive plan in place to deal with major security incidents

business planning

Only 22 percent of companies have a comprehensive plan in place to deal with major cybersecurity incidents, according to a new survey from KPMG and British Telecom.

Meanwhile, 97 percent said they have been the victims of a digital attack, and 55 percent said that they have seen an increase in cyberattacks.

"Our research is showing us that people don't have a plan that they can turn to if they are under considerable attack," said BT Americas CISO Jason Cook.

In particular, a good plan should include more than just the IT department, he said.

"Do you deliberately mention business functions that are not directly tied into cybersecurity?" he asked. "What does the legal team do? How does vendor management get involved? How do you communicate with partners and customers?"

The plan also has to be continuously reviewed to adapt to the changing security landscape, he added -- it's not enough to come up with a plan and then not look at it again.

In addition, only 23 percent have adequate cyberinsurance in place.

"The rest have either no cyberinsurance, or have inadequate cyberinsurance," he said.

For example, cyberinsurance can typically cover loss and damage to digital assets, business interruption costs associated with system downtime, direct financial losses associated with a cyber fraud or extortion attempt, provision of specialist support to incident management and forensics and investigation, and provision of reputation management services, said David Ferbrache, technical director for cyber security at -based KPMG

Companies should also look for coverage related to problems that relate to their business partners.

"This might cover the damages associated with a security breach which impact a third party such as inability to meet contractual obligations," he said.

Insurance policies may also cover specifically things like physical damage that results from cyber attacks on industrial control systems.

"This has been an issue for oil and gas firms and industrial manufacturing firms," he said.

[ RELATED: Corporate culture hinders cyber insurance buy-in ]

According to the survey, 51 percent of companies also had no strategy for dealing with ransomware and other types of blackmail, said BT's Cook.

The report was based on a survey of 100 CISOs, CIOs and other IT executives at Fortune 500 companies in the US, the UK, Singapore, India and Australia.

In another survey released this week by Tripwire, 93 percent of information security professionals at Infosecurity Europe 2016 said that they expect ransomware attacks to escalate, 56 percent said that ransomware is one of their top three security concerns -- but only 32 percent said they were "very confident" that they could recover from a ransomware infection without losing critical data.

Copyright © 2016 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022