93% of UK businesses have experienced a business-critical cyber incident, yet they are 21% less likely to have a dedicated environment in which to recover
New research by Commvault, a leading provider of cyber resilience and data protection solutions for the hybrid cloud, in collaboration with research firm GigaOm, has revealed that the UK experiences a higher rate of critical cyber incidents than any other country. A cyber incident can be defined as an event or series of events that negatively affects the security of data systems or digital information within an organisation, including a security breach or ransomware attack.
Only 7% of the UK businesses surveyed report never having experienced a “business-critical” incident, compared to 14% of the rest of the world. This means that a staggering 93% of UK businesses have experienced a business-critical incident, of which 57% occurred in the past 18 months.
Despite experiencing more frequent devastating incidents than the global average, UK organisations are falling behind when it comes to their readiness to react and recover from cyberattacks. According to the research, they are 21% less likely to have deployed a dedicated recovery environment, and 11% less likely to have tested their recovery plans within the last month compared to the other countries – two aspects of a recovery plan that are widely considered to be fundamental.
Barriers to Being a Minimum Viability Company
The survey also highlights key findings tied to the Minimum Viability Company (MVC) concept. This concept outlines the core operations that are necessary to resume business quickly after aย cyberattack. In an age whereย cybercriminalsย are increasingly sophisticated, infiltrating backups withย malware, or planting dormantย ransomwareย that activates after restoration, this approach is fundamental to operating in a state of continuous business.
Survey respondents stated that the biggest challenge preventing UK businesses from achieving minimum viability is the complexity of existing systems and applications (52%), followed closely by the struggle to keep recovery plans in line with changing business needs (47%).
Catch more CIO Insights:ย What is Shadow IT and why does it matter for enterprise security?
Almost a third (30%) cited difficulties separating ‘core’ systems from less business-critical, ‘broader’ operations as another primary barrier to implementing the MVC concept.
However, nearly two-thirds of UK businesses have laid some foundational steps in their efforts to be resilient against attacks, with 65% having an inventory of business-critical systems and dependencies and 61% creating defined runbooks, roles, and processes for incident responses. This is ahead of the global averages of 50% and 41%, respectively. This suggests that while UK businesses are investing time and resources into incident response preparations, that is not translating into real-world recovery readiness.
Many of these cyber readiness practices are directly relevant to establishing what’s needed to adopt a MVC approach. Yet only 36% of UK organisations strongly believe that they should prioritise the minimum viability approach.
“With the threat landscape evolving, business recovery is now a key concern at the board level,” saidย Richard Gadd, Senior Vice President, EMEA, Commvault. “However, this research identifies critical gaps many organisations in the UK face as they rapidly try to advance their cyber resilience strategies. Having a tested recovery plan in place and a dedicated recovery environment in the cloud can make all the difference between chaos and continuous business.”
“Business-scale cyberattacks are now the norm, not the exception. If complexity is killing efforts to prepare for recovery, executive leaders need to assume control and set business-level priorities, so they can keep the organisation running after an attack,” saidย Howard Holton, Chief Operating Officer, GigaOm.
[To share your insights with us, please write toย psen@itechseries.com ]
