Some 60% of European organisations suffered two or more business-disrupting cyber attacks – causing data breaches and/or disruption/downtime to business operations, plant and operational equipment – in the last 24 months. Some 91% of respondents to a study from the Ponemon Institute, on behalf of cyber exposure management provider Tenable, suffered at least one such cyber incident during the same time period.
Despite the incidence of damaging attacks, the Measuring and Managing the Cyber Risks to Business Operations report found that 54% of organisations do not measure – and therefore fail to understand – the business cost impacts of cyber risk. The report concludes that organisations are ‘unable to make risk-based business decisions backed by accurate and quantifiable metrics’, resulting in a ‘lack of actionable insight’ for c-suite and board-level executives.
‘Digital transformation has created a complex ICT environment of Cloud, DevOps, mobility and IoT, where everything is connected as part of the new, modern attack surface,’ the report found. ‘This has created a massive gap in organisations’ ability to truly understand its cyber-attack exposure at any given time.’
The research – which surveyed 2,410 IT and information security decision-makers in six countries – found 29% of respondents reported having ‘sufficient visibility into their cyber attack surface’ – i.e., traditional IT, cloud, containers, IoT and operational technology – to effectively reduce their exposure to risk.
To further complicate this lack of visibility, 58% of respondents say that their security function ‘lacks adequate staffing’ to scan for vulnerabilities in a ‘timely manner’, with only 35% scanning ‘when it is deemed necessary’ by an assessment of risks to sensitive data.
These data points taken together reveal that the tools and approaches organisations use ‘fail to provide the visibility and focus required to manage, measure and reduce cyber security risk’ in the current threat climate, the report concludes.