The report Measurement and Management of Cyber Risks in Business Operations was published by Tenable, a study conducted by the Ponemon Institute.
Two or more cyber events with business interruptions, reports Tenable
As a main finding it was mentioned that in the last 24 months, 60% of organizations worldwide have suffered two or more cyber incidents that affected the company's activities. These attacks are defined by causing data leakage or interruptions and downtime for business operations, the plant and the operational team. In addition, 91% of the respondents revealed having suffered at least one cyber event in the same period.
The study also found that 54% of organizations do not understand the business costs of cyber risk. The report concludes that organizations can not make risk-based business decisions, supported by precise and quantifiable metrics, which generates a lack of actionable information for decision making.
The digital transformation has created a complex cloud computing environment, DevOps, mobility and the Internet of Things (IoT), where everything is connected as part of the new modern attack surface. This has created a gap in an organization's ability to truly understand its cyber exposure (Cyber Exposure) at any given time, the firm explained.
During the investigation, 2,410 IT decision-makers and information security decision-makers were surveyed in six countries, including Mexico, and it was found that less than a third (29%) of the respondents reported having sufficient visibility on their surface. attack (that is, traditional IT, cloud, containers, IoT and operational technology -OT-) to effectively reduce their exposure to risk.
58% of respondents said that their security function lacks adequate personnel to detect vulnerabilities in a timely manner, with 35% performing scans when deemed necessary by a risk assessment for confidential data.
Taken together, these data reveal that the tools and approaches used by organizations do not provide the visibility and focus needed to manage, measure and reduce cyber risk in the digital age, Tenable said.
Of those organizations that measure the commercial costs of cyber risk, 62% are not sure that their metrics are accurate. Therefore, decisions about the allocation of resources, investments in technologies and the prioritization of threats are taken without critical information, such as the costs of intellectual property theft, loss of income or loss of productivity. Organizations admit not using the key performance indicators (KPIs) they consider important to assess and understand cyber risks, the report said.
This lack of rigor leaves the boards in ignorance about the true cost of cyber risks to their organizations. Without confidence in the accuracy of their actions, CISOs and other security executives are reluctant to share critical information about the business costs of cyber risks with their managers.
"This study highlights that most organizations have not implemented security metrics that reflect the role of cybersecurity as a priority business function. CISOs need reliable metrics that help them make informed decisions about resource allocation, technology investments and threat prioritization, "said Bob Huber, Tenable's CSO.
Relevant data for Mexico
It showed the lowest level of confidence in the precision in which the organization is able to measure the business costs of a cyber attack.
It was the country considered the most disadvantaged when facing vulnerabilities due to the dependence they have on manual processes.
Mexico (like Germany) considers having the lowest level of visibility in the modern attack surface.