Organizations modestly improved their cybersecurity posture in the second half of last year, if the latest results from infosec respondents using a self-assessment tool called the Cyber Risk Index (CRI) are accurate.
On Monday, the latest biannual results from respondents using the tool — which was created by the Ponemon Institute for Trend Micro — were released, which shows globally the CRI was -0.04 for the second half of 2021. That compares to -0.42 for first half of 2021.
The scoring system runs from -10 to +10, with a positive score representing a good result.
“Overall, the CRI trended upward globally due to enhanced cyber preparedness and respondents perceiving the threat landscape as improving,” the report’s authors say. Latin/South America was the only region that saw a lower CRI in comparison with other regions.
Canada received a score of -0.16. According to the report’s authors that shows that this country has a moderate cyber risk level in comparison to global and U.S. respondents.
According to a Trend Micro news release that pulled Canadian numbers from the survey, 83 per cent of respondents said they suffered one or more successful cyber-attacks in the past 12 months, with 32 per cent saying they’d experienced seven or more.
The CRI is composed of the scores from answers by infosec pros (including CISOs) to a number of questions. These questions are split into what is called a cyber preparedness index, which tries to measure an organization’s readiness to defend against cyber attacks, and the cyber threat index which tries to represents the state of the threat landscape at the time the CRI was calculated.
The CRI is calculated by subtracting the cyber threat index scores from the cyber preparedness index
Respondents are asked questions such as ‘how many separate data breach incidents involving the loss or theft of customer records did your organization experience over the past 12 months’, and ‘what is the likelihood that your organization will experience one or more cyberattacks that have infiltrated your networks or enterprise systems within the next 12 months?’
For the latest survey, just over 3,400 infosec pros responded, including 980 in North America.
“As organizations constantly navigate the ever-evolving security landscape, understanding what makes their businesses vulnerable is critical,” Greg Young, vice-president of cybersecurity at Trend Micro Canada, said in a statement. “This is where reports like the CRI can be a great resource in highlighting areas of possible concern to help organizations develop an effective cybersecurity strategy.”
Note that of the respondents, only 36 per cent said they were “very familiar” with their organization’s approach to information security. Another 36 per cent said they were “familiar,” while 28 per cent said they were “somewhat familiar” with their organization’s approach to IT security.
Only 36 per cent said they had full responsibility for infosec, with another 37 per cent saying they had some responsibility and 28 per cent saying they had minimal responsibility.
The report said businesses can still effectively minimize their risks by implementing security best practices. These include:
- identifying and building security around critical data by focusing on risk management and the threats that could target this data;
- implement attack surface discovery to identify both internal and external systems, accounts, devices that you have;
- minimizing infrastructure complexity and improving alignment across the whole security stack;
- getting senior leadership to view security as a competitive advantage;
- improving the ability to protect the business environment, including properly securing bring your own device (BYOD), internet of things (IoT) and industrial IoT devices (IIoT), and cloud infrastructure;
- investing in both new talent and existing security personnel to help them keep up with the rapidly evolving threat landscape, as well as improve retention;
- reviewing existing security solutions with the latest technologies to detect advanced threats like ransomware and botnets;
- improving IT security architecture with high interoperability, scalability, and agility.
