Cyber Risk Index – A Guide for CISOs and IT Security –

Trend Micro has partnered with the Ponemon Institute to develop a new Cyber Risk Index (CRI), which is intended to help CISOs and their IT Security teams better understand the current cyber risk compared to similar businesses of their size and industry. The CRI is based on a survey conducted by Ponemon to more than 1,000 IT professionals in the US from small, medium and large businesses and it looks at two aspects: How prepared are organizations to protect their data and systems versus the current threats targeting them. Our plan is to run the CRI every six months to obtain trending data to see if the CRI improves or not over time.

The CRI is based on a -10 to +10 scale with -10 being high risk and +10 being minimal risk. The results show that businesses overall are at an elevated risk of cyber threats with a score of -0.15. We also broke out the results based on company size, which shows that small businesses are at the highest risk at -0.59.

The good news is enterprise businesses responded with a moderate risk index level. When we break out the results by industry, for those industries where we had enough responses for a good statistical average they all showed elevated risk levels with the highest risk associated with services, public sector, retail, health & pharmaceutical industries.

Let’s look at some of the more interesting results from the survey based on all respondents. 

Cyber Attacks Will Likely Occur

	Likelihood of a data breach of customer data in next 12 months: 77% likelihood Likelihood of a data breach of critical data (IP) in next 12 months: 80% likelihood Likelihood of one or more successful cyber attacks in next 12 months: 80% likelihood

The above results show that our respondents are not confident that they can thwart an attack, and believe some of their most valuable data will be exfiltrated. 

Critical Data is at Risk

The top four things at highest risk of loss or theft are (in order of highest risk):

	R&D Information Trade Secrets Customer Accounts Company-confidential information

The good news is our respondents recognize that their most valuable data is at risk, as these four data types could significantly affect the businesses existence if stolen. 

Challenges within Organizations

The following represent challenges within organizations that add additional risk. Respondents reported that they don’t believe their business is sufficient in these areas.

My organization’s IT security function is involved in determining the acceptable use of disruptive technologies (such as mobile, cloud, social media, IoT devices) in the workplace. My organization’s IT security function is able to detect zero-day attacks. My organization is well prepared to deal with data breaches and cybersecurity exploits. My organization’s IT security architecture has high interoperability, scalability and agility. My organization’s IT security function conducts assessments and/or audits to identify threats, vulnerabilities and attacks.

When you look at these top risks, many appear to show a lack of confidence in the organization’s security controls to detect and block attackers as well as challenges dealing with new technologies being introduces and a security architecture that isn’t well coordinated. 

Top Threats

When we asked what the top threats against them we see the top two targeting their employees:

	Phishing & social engineering Clickjacking Ransomware Botnets SQL & code injection

There are many more results we can share and I’ll do so in further blogs to help you better understand all of the insights we’ve obtained from this project. We also look forward to seeing the next round to see if organizations feel they’ve improved their capabilities or if they think the threats targeting them have gotten easier or harder to defend against. I’ll leave you with a few of the ways we think organizations can improve their capabilities in protecting against these threats:

Identifying critical data and building security around this data, taking a risk management approach Minimizing the complexity of infrastructure and improving alignment across the security stack Improving the ability to protect mobile devices, information and operational technology devices, and cloud infrastructure Investing in new talent and existing personnel Reviewing existing security solutions with the latest technologies to detect advanced threats like ransomware and botnets. Improving IT security architecture with high interoperability, scalability, and agility

Check out more details of the Cyber Risk Index as well as taking a shortened version of the survey yourself to see how you stack up against your peers on our CRI webpage.