Most companies worldwide are failing to measure cybersecurity effectiveness and performance, according to a study released late July.
The study by Thycotic found that nearly a third of the companies were blindly making cybersecurity investments.
More than half of the 400 respondents in the survey – 58 per cent – scored an “F” or “D” grade when evaluating their efforts to measure their cybersecurity investments and performance against best practices.
“It’s really astonishing to have the results come in and see just how many people are failing at measuring the effectiveness of their cybersecurity and performance against best practices,” said Joe Carson, Chief Security Scientist at Thycotic.
With global companies and governments spending more than $100 billion a year on cybersecurity defenses, a substantial number, 32 per cent of companies are making business decisions and purchasing cybersecurity technology blindly.
Even more disturbing, more than 80 per cent of respondents fail to include business users in making cybersecurity purchase decisions, nor have they established a steering committee to evaluate the business impact and risks associated with cybersecurity investments.
Top 5 cybersecurity flaws
* One in three companies invest in cybersecurity technologies without any way to measure their value or effectiveness.
* Four out five companies don’t know where their sensitive data is located, and how to secure it.
* Four out of five fail to communicate effectively with business stakeholders and include them in cybersecurity investment decisions.
* Two out of three companies don’t fully measure whether their disaster recovery will work as planned.
* Four out of five never measure the success of security training investments.
* While 80 percent of breaches involve stolen or weak credentials, 60 percent of companies still do not adequately protect privileged accounts—their keys to the kingdom.
The study has also found out that small businesses are targeted in two out of three cyberattacks and sixty per cent of small businesses go out of business six months after a breach.