More companies have formal, enterprise-wide security response plans in place, according to IBM Security’s latest Cyber Resilient Organization Report. It found that 26% of respondents have such a plan in place today compared with 18% in 2015.

That’s the good news.

The bad news: this means the vast majority of organizations (74%) still have no security response plans, or they say their plans are ad-hoc or applied inconsistently at best. And this lack of security response planning can be really expensive. A different IBM Security report published earlier this month found that cloud security breaches can cost companies more than $50,000 in less than an hour. According to an IBM data breach study from last year, companies that have incident response teams and extensively test their incident response plans spend an average of $1.2 million less on data breaches than those who have both of these cost-saving factors in place.

And even companies that do have security response plans in place don’t necessarily test or review those plans. Only 7% review their response plans quarterly, and 40% said they had no set time period for reviewing an updating the plan — an increase of 8% since 2015.

In addition to rendering companies unprepared to respond to an attack or breach, this suggests that many of them may also be relying on outdated response plans that don’t reflect current threat techniques and business landscape — like an increasingly remote workforce due to the COVID-19 pandemic.

“That’s like having ... the best plan in place for a winning football strategy, but your team never practices,” said Wendi Whitmore, VP of IBM X-Force. “And so if you get out on the field on game day, every player on the field might have memorized that playbook, but if they’ve never practiced together, then it’s gonna be really hard to win that game. That’s what we’re seeing across the board. Organizations are definitely becoming more sophisticated, technology is getting tremendously better, and people are getting smarter. But at the end of the day, if we’re not practicing and doing the basic fundamentals to respond well when it needs to happen — i.e., in the event of a breach or crisis — and we’re still going to really struggle to do that successfully.”

Speaking of playbooks, the survey found that only one-third of companies with a formal security response (that’s 17% of total respondents) had also developed specific playbooks for common attack types such as distributed denial of service (DDoS) or malware. Among organizations using attack-specific playbooks, only 45% had plans for ransomware attacks, which IBM’s 2020 X-Force Threat Index found has spiked nearly 70% in recent years.

“If you have no other playbook, at least have one for ransomware,” Whitmore said. “Understand what you’re going to do, where your most sensitive data is, how it can be accessed, where it’s backed up, and ideally have it backed up in an offline capacity that’s not connected to the network so that you can have access to that in the event that it does become encrypted by a ransomware attack.”

Most organizations do not have ransomware playbooks because executives remain skeptical, Whitmore said, adding that she and her team get questions from customers and their own board of advisors asking if these attacks are effective. “Or could they really potentially bring my business down? And unfortunately, the answer is yes,” she said. “These ransomware attacks are becoming more targeted, more specific, and more successful in terms of actual, specific types of data the attackers go after. And then being very, very focused on their approaches, and as a result, the ransom amounts being requested are going up significantly because attackers are aware of the data that they have access to.”

Plus, attacker are spending more time in the companies’ IT environments. The average used to be between 60 and 90 days, Whitmore said. “And now we’re seeing it more like three to six months that an attacker can stay in an organization observing things before they deploy the ransomware. That additional time then gives them an opportunity to target a very specific department, for example, and know that the data that they’ve now taken was not backed up in other places. So they’re more confident in the [ransom] figures that they’re asking for.”

The report also found that complexity hurts companies’ response to attacks. While this isn’t new — many of the problems chief information security officers (CISOs) face today stem from complex IT environments and too many security products spread across these environments — it’s worth noting. According to IBM, organizations using 50 or more security tools ranked themselves 8% lower in their ability to detect, and 7% lower in their ability to respond to an attack, compared to respondents with less tools.

“It’s counterintuitive,” Whitmore said. “I've been responding to breaches for the last two decades now and one thing that we see consistently with technology is that it can give this false sense of security that as long as you have the technology in place you don’t necessarily need to have the people who are trained in using it, and that the technology will just do its job.”

Because of this, Whitmore said, she tells organization that instead of allocating budget to simply buy more security tools, they should invest in a managed security service associated with the product or training employees who will manage the security tool. “So that you can make sure that it’s actually used successfully, and that it is going to defend the organization against an attack.”

This is the fifth year that the Ponemon Institute surveyed organizations about their ability to prepare for and handle cyberattacks for an IBM Security-sponsored report. The 2020 edition surveyed more than 3,400 security and IT professionals from around the world.