Asleep At The Cyber Switch: Most Firms Can't Measure Their Security Metrics

Email ransomware is a huge threat. But many companies are not defending themselves against it. And most that are do not have a clue as to whether they’re getting their money’s worth, according to “The 2017 State of Cybersecurity Metrics Annual Report,” by Thycotic.

Asked to rate their ability to measure their investments and performance, 58% said they are failing at their investment. In school grading terms, 50% scored an F, and 8% earned a D.  Not everybody flunked -- 18% pulled an A, and 13% a B, while another 11% earned a C. But 80% are dissatisfied with their security metrics, whatever their grade. And 34% admit they are blindly investing in their programs.

Thycotic polled 400 executives worldwide. The majority were from North America, but others hailed from Europe, Russia, India, Central and South America. They work in financial, technology, manufacturing, healthcare, government and other sectors.

Of that sample, 83% fail to consider the business impact in their security decisions. And 80% fail to measure the success of their training investments.



Worse, 80% are have no idea where their most sensitive data is located, or whether it is well protected. And 75% have not taken measures to comply with laws in this area. Another 60% do not adequately protect privileged accounts.

Small businesses are especially vulnerable to cyber attack, although they are usually a secondary target: The goal is to leverage partnerships they have with larger companies.

Statistics from the Cyber Security Alliance show that 60% of SMBs go out of business within six months of an attack.

Here are a few other depressing stats: 

  • Two-thirds fail to explore whether their disaster recovery will work as planned
  • Eight out of ten do not make sure that their employees understand their IT security policies, and don't measure this 
  • Four out of five are not communicating effectively with business stakeholders, and don't include them in cyber security investment decisions

Why are companies so sloppy when it comes to metrics? Here’s what they say:

  • Don’t have the time — 37.1%
  • Don’t have adequate resources — 42.7%
  • Don’t have sufficient knowledge — 28.4%
  • Are not allocating enough budget — 32.3%
  • Not applicable — 31.5%

What to do? Thycotic offers these suggestions:

The first priority is to educate all stakeholders. Make the C-level people undergo a “Red Team” cyber assessment.

That’s an exercise in which “white hat” hackers try to penetrate the system. Executives experience “what a real-world scenario is like,” Thycotic writes.

Think of it as cyber security boot camp.

Next, Limit access to key data — adopt a “least privilege” culture.

Protect critical systems; put multi-factor authentication in place. Implement a cyber incident plan.

Finally, measure it all. These metrics may be just as important as the ones you use to gauge your marketing success.







Next story loading loading..