Cyber resilience was analyzed in a recent report by Immersive Labs. The report reveals that a steady increase in cyberattacks and evolving threat landscape are resulting in more organizations turning their attention to building long-term cyber resilience; however, many of these programs are falling short and fail to prove teams’ real-world cyber capabilities.

The report surveyed 570 senior security and risk leaders at UK, US and German-based enterprises with at least 1,000 employees and found that while 86% of organizations have a cyber resilience program, more than half (52%) of respondents say their organization lacks a comprehensive approach to assessing cyber resilience.

Strengthening cyber capabilities tops the list of strategic priorities for organizations in 2023, with increasing the cyber resilience of cybersecurity team members (83%) and the general workforce (75%) identified as the two highest overall focus areas. Organizations have taken steps to deploy cyber resilience programs; however, 53% of respondents indicate the organization’s workforce is not well-prepared for the next cyberattack (of any kind) and just over half say they lack a comprehensive approach to assessing cyber resilience. These statistics indicate that although cyber resilience is a priority and programs are in place, their current structure and training are ineffective.

For every two out of three organizations, there is a lack of confidence that 95% of their workforce will not know how to recover from a cyber incident. High-priority tasks include maintaining business operations without the availability of core IT systems, handling urgent tasks using manual processes and not exacerbating the recovery process by connecting compromised devices to the network.

While almost all organizations encourage industry certifications, 32% say they are effective at mitigating cyber threats. Classroom training is offered too infrequently to be effective, with around a quarter (27%) of respondents indicating they are receiving monthly training. Almost half of respondents (46%) say their employees would not know what to do if they received a phishing email, despite years of security awareness training and phishing tests.

Almost half (46%) of senior security and senior risk leaders say they do not have the metrics they need to fully demonstrate their workforce’s resilience in the face of a cyberattack. Around 6% of organizations are using informative metrics such as response times to address vulnerabilities, track intrusion rates, metrics on internal data loss and incidence rates of various threat types.