There’s too much focus on ticking boxes to please auditors or clients, too much paperwork, too much required effort to maintain such plans, too little hands-on implementation, too little buy-in, too little enthusiasm from staff, too little actual cyber incident readiness, and too little effort put into preparing staff to think on their feet when an actual ransomware or other information security incident occurs.
It affects entire organisations. Senior management ends up with false sense of security that everything is covered with
xx
technical controls, that information security risks are managed well, and that staff are ready to act if a cyber-attack were to occur – and that is if management even understands that the broader workforce must play a part in identifying and reducing information security risks. Whilst, in reality, only a few individuals, such as the Chief Information Security Officer (CISO) and any IT (Security) staff keep themselves familiarised with the content of the plans and procedures, or even worse, they are the only staff who even know these exist.
Often, Information Security (IS) processes and related Cyber Incident Response Plans (CIRPs) exist on paper, rather than actually being embedded across the organisation.