58% of companies fail to evaluate the effectiveness of their cyber security measures

More than half of the organisations studied in Thycotic’s 2017 State of Cybersecurity Metrics Annual Report scored a failing grade when evaluating the effectiveness of their cyber security investments and performance.

The grades are based on the Security Measurement Index benchmark survey, which compares organisations’ cyber security measures to the international standard ISO 27001 and best practices from industry experts and professional associations.

According to Thycotic’s study, 50% of respondents scored an F and 8% scored a D. Of the passing grades, 11% scored a C, 13% scored a B and 18% scored an A.


Failure to communicate

The study indicates that organisations’ inability to evaluate their cyber security measures isn’t due to a lack of resources, as companies and governments are spending more than $100 billion a year (about £77 billion) on cyber security.

Rather, companies are investing in cyber security technology without without determining ways to evaluate its effectiveness.

According to the report:

  • 80% of respondents fail to include business users in cyber security purchase decisions, nor have they established a steering committee to evaluate the business impact and risks associated with cyber security investments.
  • A third of companies invest in cyber security technologies without any way to measure their value or effectiveness.
  • 80% of companies fail to communicate effectively with business stakeholders or include them in cyber security investment decisions.

The study also claims that two thirds of cyber attacks target small and medium-sized businesses (SMBs). This is often because hackers look to exploit smaller organisations’ lack of resources in order to find supply chains or data shared with larger organisations.


How does your organisation measure up?

See how your cyber security efforts compare with those of your peers by taking the Security Measurement Index benchmark survey.

You can make your cyber security efforts more effective and efficient by implementing an ISO 27001-aligned  information security management system (ISMS).

Our ISO 27001 Get a Lot of Help package takes the hard work out of implementation, providing you with consultancy support, access to training courses, a licence for the risk assessment software vsRisk™, two implementation guides and templates for every compliance document you need.

No matter where your organisation is based or what industry it’s in, we guarantee that you’ll gain accredited certification by following our advice.