More than half of the organisations studied in Thycotic’s 2017 State of Cybersecurity Metrics Annual Report scored a failing grade when evaluating the effectiveness of their cyber security investments and performance.
The grades are based on the Security Measurement Index benchmark survey, which compares organisations’ cyber security measures with the international standard ISO 27001 and best practices from industry experts and professional associations. According to Thycotic’s study, 50% of respondents scored an F and 8% scored a D.
Of the passing grades, 11% scored a C, 13% scored a B and 18% scored an A.
ISO 27001 is an information security standard that provides a framework and best practice guidance for protecting a company’s information from internal and external threats, and enables the business to significantly reduce its exposure to cyber risks.
Failure to communicate
The study indicates that organisations’ inability to evaluate their cyber security measures isn’t due to a lack of resources, as companies and governments are spending more than $100 billion a year (about £77 billion) on cyber security.
The problem is that companies are making business decisions and buying cyber security technology without communicating their decisions and without any way of evaluating their effectiveness. According to the report:
- Four out of five of respondents fail to include business users in cyber security purchase decisions, nor have they established a steering committee to evaluate the business impact and risks associated with cyber security investments.
- One in three companies invest in cyber security technologies without any way to measure their value or effectiveness.
- Four out of five companies fail to communicate effectively with business stakeholders or include them in cyber security investment decisions.
The study also claims that two thirds of cyber attacks target small and medium-sized businesses (SMBs). This is often because hackers look to exploit smaller organisations’ lack of resources in order to find supply chains or data shared with larger organisations.
Secure your organisation
In a press release, Joseph Carson, Thycotic’s chief security scientist, said:
It’s really astonishing to have the results come in and see just how many people are failing at measuring the effectiveness of their cybersecurity and performance against best practices. At a time when threats are escalating and the need for quantifiable metrics are putting security teams and executives under pressure, [our report] reveals what is actually occurring so that companies can produce assurances, remedy their errors and protect their businesses.
You can see how your organisation measures up by taking the Security Measurement Index benchmark survey.
By implementing an information security management system (ISMS) based on the ISO 27001 standard, you can avoid applying additional, costly controls that might not be necessary. You can be sure that the controls you do implement will be effective, as companies that comply with ISO 27001 are required to conduct regular, comprehensive risk assessments that identify the risks their information is exposed to.
ISO 27001 also requires the organisation to analyse and evaluate each risk and apply suitable controls.
Internal and external audits help the business to assess whether the controls are working as intended.
Alternatively, you may want to look at our Cyber Review service. It provides you with an evaluation of your organisation’s cyber security posture and a documented summary of recommendations for improvements. It’s ideal for organisations that are worried about cyber security or are in a position where they are starting from scratch.