Report by Thycotic shows disturbing lack of Cyber Security Metrics amongst small businesses.

A recent report on the state of cyber security metrics issued by Thycotic, provides worrying concerns which every organisation needs to take note of, particularly in the light of increased regulation which is being introduced such as GDPR next May.

The main highlights include:

  • Evaluation – Most companies are failing at cyber security metrics, with more than half of respondents (50%) scored a failing grade when evaluating their efforts to measure their cyber security investments and performance against best practices.  Also 80% of companies are not fully satisfied with their cyber security metrics provision and insight.
  • Planning Failures – 1 in 3 companies invest in cyber security technologies without any way to measure their value or effectiveness. In addition, 4 out of 5 fail to include business stakeholders in cyber security investment decisions. More disturbing is that 4 out of 5 companies don’t know where their sensitive data is located and how to secure it.
  • Failures in Performance – 2 out of 3 companies do not fully measure whether their disaster recovery will work as planned and 2 out of 3 never measure the success of security training investments. Finally, while 80% of breaches involve stolen or weak credentials*, 60% of companies still do not adequately protect privileged accounts.

The report highlights that cyber security investments are installed without any way to measure value or effectiveness. This would indicate that security investment decisions are educated guesses without any metrics to understand if the investment will actually do any good.

At Guardian Technologies we know that organisations need to understand and quantify their risks through the use of methods and tools to understand the information lifecycle – where is my sensitive data? Who is accessing it? What are they using it for? Is it appropriate?

Without this information and understanding the key risks, then security investments are a shot in the dark. Additionally, cyber security metrics presented before and after the investment, can be used to measure how much risk has been mitigated after the investment.

So here are some suggestions to help you make better decisions with security investment which is supported by this report:

  • Involve key business stakeholders in cyber security investment decisions.
  • Begin to develop a set of security metrics to be able to assess your organisational security capabilities.
  • Use tools to assess your information protection risks and measure impact on metrics after mitigation.
  • Justify security spend with clear metrics and risk reduction levels.
  • If you do not know where your sensitive information is located then now is the time to review and start to define appropriate information protection policies.
  • Involve the business in security investment decisions, and ensure everyone buys into the strategy.

Guardian Technologies can work with you to identify requirements, develop metrics and measurements to identify your information risks. Using tools and services a program of work to discovery, classify, protect and control sensitive information.  Contact us to discover more.


Thycotic provide solutions to prevent cyber-attacks by securing passwords, protecting endpoints and controlling access, Click here to see the full report.