Organizations modestly improved their cybersecurity posture in the second half of last year, if the latest results from infosec respondents using a self-assessment tool called the Cyber Risk Index (CRI) are accurate.
On Monday, the latest biannual results from respondents using the tool — which was created by the Ponemon Institute for Trend Micro — were released, which shows globally the CRI was -0.04 for the second half of 2021. That compares to -0.42 for first half of 2021.
The scoring system runs from -10 to +10, with a positive score representing a good result.
“Overall, the CRI trended upward globally due to enhanced cyber preparedness and respondents perceiving the threat landscape as improving,” the report’s authors say. Latin/South America was the only region that saw a lower CRI in comparison with other regions.
Canada received a score of +0.16. According to the report’s authors that shows that this country has a moderate cyber risk level in comparison to global and U.S. respondents.
According to a Trend Micro news release that pulled Canadian numbers from the survey, 83 per cent of respondents said they suffered one or more successful cyber-attacks in the past 12 months, with 32 per cent saying they’d experienced seven or more.
The CRI is composed of the scores from answers by infosec pros (including CISOs) to a number of questions. These questions are split into what is called a cyber preparedness index, which tries to measure an organization’s readiness to defend against cyber attacks, and the cyber threat index which tries to represents the state of the threat landscape at the time the CRI was calculated.
The CRI is calculated by subtracting the cyber threat index scores from the cyber preparedness index
Respondents are asked questions such as ‘how many separate data breach incidents involving the loss or theft of customer records did your organization experience over the past 12 months’, and ‘what is the likelihood that your organization will experience one or more cyberattacks that have infiltrated your networks or enterprise systems within the next 12 months?’
For the latest survey, just over 3,400 infosec pros responded, including 980 in North America.
“As organizations constantly navigate the ever-evolving security landscape, understanding what makes their businesses vulnerable is critical,” Greg Young, vice-president of cybersecurity at Trend Micro Canada, said in a statement. “This is where reports like the CRI can be a great resource in highlighting areas of possible concern to help organizations develop an effective cybersecurity strategy.”
Note that of the respondents, only 36 per cent said they were “very familiar” with their organization’s approach to information security. Another 36 per cent said they were “familiar,” while 28 per cent said they were “somewhat familiar” with their organization’s approach to IT security.
Only 36 per cent said they had full responsibility for infosec, with another 37 per cent saying they had some responsibility and 28 per cent saying they had minimal responsibility.
In an emailed response to questions Young admitted the index is subjective. “Objective metrics have high value, but are exceptionally expensive. However the objective studies themselves end up being based on subjective weighting and are often out of date by the time the measurement is completed. The survey is extensive enough that it can tease out some relationships more so than a simpler survey.”
Asked if the fact that only 41 per cent of respondents said they were “very familiar” with their organization’s approach to infosec diminishes diminish the accuracy of the responses, Young said that the familiarity question allows survey analysts to weigh replies. “For the other 59 per cent, it allows us to include responses such weighted responses with the intention to have a very broad survey. It’s useful to have perceptions of risk from other than the security organization. It’s also why the question is asked about how much responsibility for security activities the respondent has.”
When it was suggested the index doesn’t represent an organization’s cyber readiness but it’s perception of readiness, Young said there is a link. “For example,” he said, “if a low score is given to ransomware likelihood, while they reported ransomware incidents, it can flag a mismatch given the higher likelihoods peers in the same vertical are reporting. While the final CRI is valuable, it is more valuable when that final CRI is looked at in detail compared to peers either in geography, size, and/or vertical.” A firm may say, ‘We think we’re at very low risk of ransomware, however our peers are concerned – why is that?’ The overall CRI views are a good indicator of where it is on the sine wave of threat vs defense, he said.
The report said businesses can still effectively minimize their risks by implementing security best practices. These include:
- identifying and building security around critical data by focusing on risk management and the threats that could target this data;
- implement attack surface discovery to identify both internal and external systems, accounts, devices that you have;
- minimizing infrastructure complexity and improving alignment across the whole security stack;
- getting senior leadership to view security as a competitive advantage;
- improving the ability to protect the business environment, including properly securing bring your own device (BYOD), internet of things (IoT) and industrial IoT devices (IIoT), and cloud infrastructure;
- investing in both new talent and existing security personnel to help them keep up with the rapidly evolving threat landscape, as well as improve retention;
- reviewing existing security solutions with the latest technologies to detect advanced threats like ransomware and botnets;
- improving IT security architecture with high interoperability, scalability, and agility.
(This story has been updated from the original to include added comments from Greg Young)