Muscat, Jan 12 – Tenable, Inc, the cyber exposure company, released the Measuring and Managing the Cyber Risks to Business Operations Report, an independent study conducted by Ponemon Institute. It found that 60 per cent of organisations globally had suffered two or more business-disrupting cyber events — defined as cyber attacks causing data breaches or significant disruption and downtime to business operations, plant and operational equipment — in the last 24 months. Further, the vast majority of respondents (91 per cent) had suffered at least one such cyber event in the same time period.
Despite this documented history of damaging attacks, the study found that the majority of organisations (54 per cent) are not measuring, and therefore don’t understand, the business costs of cyber risk. The report concludes that organisations are unable to make risk-based business decisions backed by accurate and quantifiable metrics, resulting in a lack of actionable insight for the C-suite and board of directors.
Digital transformation has created a complex computing environment of Cloud, DevOps, mobility and IoT, where everything is connected as part of the new, modern attack surface. This has created a massive gap in an organisation’s ability to truly understand its Cyber Exposure at any given time.
The research — which surveyed 2,410 IT and infosec decision-makers in six countries — found less than one third (29 per cent) of respondents reported having sufficient visibility into their attack surface (i.e. traditional IT, cloud, containers, IoT and operational technology) to effectively reduce their exposure to risk. To further complicate this lack of visibility, more than half of respondents (58 per cent) said their security function lacks adequate staffing to scan for vulnerabilities in a timely manner, with only 35 per cent scanning when it’s deemed necessary by an assessment of risks to sensitive data.
Together, these data points reveal that the tools and approaches organisations are using fail to provide the visibility and focus required to manage, measure and reduce cyber risk in the digital era.
Of those organisations that measure the business costs of cyber risk, 62 per cent are not confident their metrics are actually accurate. Thus, decisions about the allocation of resources, investments in technologies and the prioritisation of threats are being made without critical information — such as the costs of IP theft, loss of revenue or loss of productivity. Organisations admit to not using the key performance indicators (KPIs) they consider important to assessing and understanding cyber risks:
n 64 per cent rated “time to assess” an essential KPI but only 49 per cent actually measure it
n 70 per cent rated “time to remediate” an essential KPI but only 46 per cent measure it
n Only 30 per cent of respondents believe their organisations can translate cyber risk KPIs into actionable steps