A new security measurement index benchmark survey has shown that nearly a third of companies are blindly making cyber security investments
Most companies worldwide are failing to measure cyber security effectiveness and performance, according to a cyber security report from Thycotic – a provider of privileged account management (PAM) and endpoint privilege management solutions.
Based on internationally accepted standards for security embodied in ISO 27001, as well as best practices from industry experts and professional associations, the survey provides a comprehensive way to define how well an organisation is measuring the effectiveness of its IT security.
According to the findings, more than half of the 400 respondents in the survey, 58%, scored an “F” or “D” grade when evaluating their efforts to measure their cyber security investments and performance against best practices.
“It’s really astonishing to have the results come in and see just how many people are failing at measuring the effectiveness of their cybersecurity and performance against best practices,” said Joe Carson, chief security scientist at Thycotic. “This report needed to be conducted to bring to light the reality of what is truly taking place so that companies can remedy their errors and protect their businesses.”
With global companies and governments spending more than $100 billion a year on cyber security defenses, a substantial number, 32 percent, of companies are making business decisions and purchasing cyber security technology blindly.
Even more disturbing, more than 80% of respondents fail to include business users in making cyber security purchase decisions, nor have they established a steering committee to evaluate the business impact and risks associated with cyber security investments. The report also found that one in three companies invest in cybersecurity technologies without any way to measure their value or effectiveness.
With GDPR approaching quickly, the results that four out five companies don’t know where their sensitive data is located, or how to secure it, will prove worrying in the face of business-changing fines.
The problem is endemic, with the survey revealing that four in five fail to communicate effectively with business stakeholders and include them in cyber security investment decisions. As a result, companies can’t fully understand their security strategy. For example, two in three don’t fully measure whether their disaster recovery will work as planned.
While 80% of breaches involve stolen or weak credentials, 60% of companies still do not adequately protect privileged accounts – their keys to the kingdom.
“We put out this report not only to show the errors that are being made, but also to educate those who need it on how to improve in each of the areas that are lacking,” added Carson. “Our report provides recommendations associated with better ways to educate, protect, monitor and measure so that improvements can be implemented.”