60 percent of organizations have suffered disruptive cyber events in the last two years
A new study reveals that 60 percent of organizations globally have suffered two or more business-disrupting cyber events -- defined as cyberattacks causing data breaches or significant disruption and downtime to business operations, plant and operational equipment -- in the last 24 months.
But despite this documented history of damaging attacks, the study finds that the majority of organizations (54 percent) are not measuring, and therefore don't fully understand, the business costs of cyber risk.
Just 29 percent of respondents report having sufficient visibility into their attack surface to effectively reduce their exposure to risk. To further complicate this lack of visibility, more than half of respondents (58 percent) say their security function lacks adequate staffing to scan for vulnerabilities in a timely manner, with only 35 percent scanning when it's deemed necessary by an assessment of risks to sensitive data.
Of those organizations that do measure the business costs of cyber risk, 62 percent aren't confident their metrics are accurate. This means decisions about the allocation of resources, investments in technologies and the prioritization of threats are being made without critical information.
"In today's digital economy, cyber risk equates to business risk. It's shocking to learn that organizations are suffering business-impacting cyber events yet are struggling to accurately measure the resulting financial cost," says Bob Huber, CSO at Tenable. "This study powerfully highlights that most organizations have not implemented security metrics that reflect cybersecurity’s role as a core business function. CISOs need reliable metrics to help them make educated decisions on the allocation of resources, investments in technology and the prioritization of threats."
You can read more about the results on the Tenable blog.