Email ransomware is a huge threat. But many companies are not defending themselves against it. And most that are do not have a clue as to whether they’re getting their money’s worth, according to “The 2017 State of Cybersecurity Metrics Annual Report,” by Thycotic.
Asked to rate their ability to measure their investments and performance, 58% said they are failing at their investment. In school grading terms, 50% scored an F, and 8% earned a D. Not everybody flunked -- 18% pulled an A, and 13% a B, while another 11% earned a C. But 80% are dissatisfied with their security metrics, whatever their grade. And 34% admit they are blindly investing in their programs.
Thycotic polled 400 executives worldwide. The majority were from North America, but others hailed from Europe, Russia, India, Central and South America. They work in financial, technology, manufacturing, healthcare, government and other sectors.
Of that sample, 83% fail to consider the business impact in their security decisions. And 80% fail to measure the success of their training investments.
Worse, 80% are have no idea where their most sensitive data is located, or whether it is well protected. And 75% have not taken measures to comply with laws in this area. Another 60% do not adequately protect privileged accounts.
Small businesses are especially vulnerable to cyber attack, although they are usually a secondary target: The goal is to leverage partnerships they have with larger companies.
Statistics from the Cyber Security Alliance show that 60% of SMBs go out of business within six months of an attack.
Here are a few other depressing stats:
Why are companies so sloppy when it comes to metrics? Here’s what they say:
What to do? Thycotic offers these suggestions:
The first priority is to educate all stakeholders. Make the C-level people undergo a “Red Team” cyber assessment.
That’s an exercise in which “white hat” hackers try to penetrate the system. Executives experience “what a real-world scenario is like,” Thycotic writes.
Think of it as cyber security boot camp.
Next, Limit access to key data — adopt a “least privilege” culture.
Protect critical systems; put multi-factor authentication in place. Implement a cyber incident plan.
Finally, measure it all. These metrics may be just as important as the ones you use to gauge your marketing success.