How do you think your cybersecurity investments and performance would hold up if they were graded? Do you think your company is doing an above average job in this area?
According to a new study from Thycotic, chances are actually pretty good you’re going to receive a failing grade. In its first annual 2017 State of Cybersecurity Metrics Report, 58 percent of respondents scored an “F” or “D” grade when evaluating their efforts to measure their cybersecurity investments and performance against best practices.
Think about that for a moment. How much money are you putting into your security investments – and then you find out they might not be operating as well as you expect? As the report pointed out, spending on cybersecurity defenses is more than $100 billion a year, but the problem is that too many organizations are spending that money blindly. Thycotic attributed this, in part, to a failure in planning. According to the study:
- One in three companies invest in cybersecurity technologies without any way to measure their value or effectiveness.
- Four out of five fail to include business stakeholders in cybersecurity investment decisions.
- Four out of five companies don’t know where their sensitive data is located, and how to secure it.
As Joseph Carson, chief security scientist at Thycotic, said in a formal statement:
It’s really astonishing to have the results come in and see just how many people are failing at measuring the effectiveness of their cybersecurity and performance against best practices.
An area the report noted as a particular concern is privileged user accounts. The purpose of privileged users is to protect certain data and provide network access to those who require access, but, as the report pointed out, if the access credentials are compromised, anyone can move around freely and without detection. Yet, the report found that 60 percent of organizations are failing to adequately protect privileged accounts. Carson said to me in an email comment:
Privileged accounts are one of the most sensitive accounts with an organization and sometimes referred to as “The Keys to the Kingdom.” They are the keys that unlock access to move around companies’ networks, systems and access to confidential and sensitive data. Unfortunately, many IT users lack a full understanding of how privileged accounts function, as well as the risks associated with their compromise and misuse. That makes them and their organizations much more vulnerable to potential monetary and reputational damage from increasing threats.
I wonder how often this happens in other areas across the network and data. If you want a passing grade on your cybersecurity performance, can you also get a passing grade in truly understanding your cybersecurity needs?
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba