Big gaps found in corporate cyber defenses

As companies continue to exapand their digital business strategies, nearly two-thirds (63%) of C-suite executives report their companies experience significant cyberattacks daily or weekly. Only 25% of them, however, said their organization always incorporates measures into the design of their company’s technology and operating models to make them more resilient, according to a new Accenture survey.

The survey also finds that in response to the situation, 88% of the more than 959 executives—including some in the banking industry—believe their cyber defense strategy is robust, understood, and fully functional. Nearly as many (86%) measure their organization’s resilience to determine what improvements are needed.

Further, only 9% of executives said their company proactively runs inward-directed attacks and intentional failures to test their systems on a continuous basis. About half (53%) of those surveyed said their company has a continuity plan that they refresh as needed. Just 49% map and prioritize security, operational, and failure scenarios and even fewer (45%) have produced threat models to existing and planned business operations to enable rapid responses to an attack or system failure. Only 38% of the executives said their companies had thoroughly documented the relationships between their technology and operational assets to identify resilience risks and dependencies in their organization.

“Given the prevalence of cyberattacks on today’s companies and government organizations, the only question for most is when a cyberattack will occur, not if it will occur,” says Brian Walker, managing director, Accenture Technology Strategy. “While savvy executives know where their weak spots are, and work across the C-suite to prepare accordingly, testing systems, planning for various scenarios, and producing response and continuity plans that guide quick actions when a breach occurs, the data clearly shows that companies by and large have more work to do.”

According to the report, successful enterprises recognize that responsibility for resilience and agility does not just fall to the CIO, chief information security officer (CISO) or chief risk officer. On average, the research found that companies have two executives in the C-suite who are responsible for continuously monitoring and improving their business resilience. Nineteen percent of the represented companies had a “dedicated resilience officer.”