Data and securityCyber SecurityOrganisations failing to measure cybersecurity effectiveness

Organisations failing to measure cybersecurity effectiveness

New Security Measurement Index benchmark survey shows nearly a third blindly making cybersecurity investments

Public sector organisations are being encouraged to measure the effectiveness of their cyber security investment after new research suggested organisations are failing to check if they’re spending money well.

Thycotic’s first annual 2017 State of Cybersecurity Metrics Report found that more than half respondents in the survey (58%), scored an “F” or “D” grade when evaluating their efforts to measure their cybersecurity investments and performance against best practices.

The survey, which analyses key findings from a Security Measurement Index (SMI) benchmark, is based on internationally accepted standards for security embodied in ISO 27001, as well as best practices from industry experts and professional associations.

With global companies and governments spending more than $100 billion a year on cybersecurity defences, a substantial number, 32% of companies are making business decisions and purchasing cyber security technology blindly. Even more disturbing, more than 80% of respondents fail to include business users in making cybersecurity purchase decisions, nor have they established a steering committee to evaluate the business impact and risks associated with cybersecurity investments.

Additional key findings from the report include:

• One in three companies invest in cybersecurity technologies without any way to measure their value or effectiveness.
• Four out five companies don’t know where their sensitive data is located, and how to secure it.
• Four out of five fail to communicate effectively with business stakeholders and include them in cybersecurity investment decisions.
• Two out of three companies don’t fully measure whether their disaster recovery will work as planned.
• Four out of five never measure the success of security training investments.
• While 80% of breaches involve stolen or weak credentials, 60% of companies still do not adequately protect privileged accounts—their keys to the kingdom.
• Small businesses are targeted in two out of three cyberattacks.
• Sixty percent of small businesses go out of business six months after a breach.

“It’s really astonishing to have the results come in and see just how many people are failing at measuring the effectiveness of their cybersecurity and performance against best practices,” said Joe Carson, Chief Security Scientist at Thycotic. “This report needed to be conducted to bring to light the reality of what is truly taking place so that companies can remedy their errors and protect their businesses.

“We put out this report not only to show the errors that are being made, but also to educate those who need it on how to improve in each of the areas that are lacking. “Our report provides recommendations associated with better ways to educate, protect, monitor and measure so that improvements can be implemented.”

To download the full 2017 State of Cybersecurity Metrics Report and view all the findings from the Security Measurement Index benchmark survey, click here.

Related Articles

Secure in the cloud

Cloud Computing Secure in the cloud

2h Guest Writer
Six top security and risk management trends revealed

Cyber Security Six top security and risk management trends revealed

1w Austin Clark
DDoS Defence Demands a Hybrid Approach

Cyber Security DDoS Defence Demands a Hybrid Approach

2w Guest Writer
NHS Digital joins forces with IBM to beef up NHS cyber security

Cyber Security NHS Digital joins forces with IBM to beef up NHS cyber security

2w Austin Clark
HMRC storing voice ID data 'without consent'

Cyber Security HMRC storing voice ID data 'without consent'

3w Austin Clark
Government’s rapid cloud adoption lacks security (Infographic)

Cloud Computing Government’s rapid cloud adoption lacks security (Infographic)

1m Austin Clark
Combatting the cyber security skills crisis: Retraining could help public sector digital transformation

Cyber Security Combatting the cyber security skills crisis: Retraining could help public sector digital transformation

1m Guest Writer
The need for a strategic approach to cyber security purchasing

Cyber Security The need for a strategic approach to cyber security purchasing

2m Guest Writer