Risk Management
Cyber Risk Index (2H’ 2021): An Assessment for Security Leaders
We take a look at our latest Cyber Risk Index (CRI) findings across North America, Europe, Asia-Pacific, and Latin/South America, to help security leaders better understand, communicate, and address their enterprise’s cyber risk.
In 2021 we ran the Trend Micro Cyber Risk Index (CRI) twice, once in the first half and once in the second half in order to gauge the shifts in how organisations viewed their cyber risk. In both surveys for 2021 we included North America, Europe, Asia-Pacific, and Latin/South America giving us a truly global view of the cyber risk organisations are dealing with today.
The CRI is a collaborative effort between Trend Micro and the Ponemon Institute to survey respondents. In the 2H’2021 we surveyed over 3,400 businesses of many sizes and industries across the four regions. The CRI looks to identify the cyber risk level organisations have based on two areas:
- Their ability to prepare for cyberattacks targeting them (cyber preparedness index - CPI)
- The current assessment of the threats targeting them (cyber threat index - CTI)
These two are used to calculate the overall cyber risk of an organisation based on a -10 to +10 scale, where negative results represent a higher risk level. We calculated the CRI by subtracting the CTI from the CPI (CRI = CPI – CTI).
The Global and Regional CRI
The current global cyber risk index is at -0.04, which is considered an elevated risk level and is a slightly higher number from 1H’2021 when it was -0.42.
North America, Europe, and Asia-Pacific improved their cyber risk in the 2H’2021 whereas Latin/South America’s risk increased compared to the first half. The reason? We found it was a mixed bag as two regions saw their preparedness suffer, but the other two regions saw it improve.
In comparing the CTI numbers, three regions saw an improvement and one region saw a slight drop. But overall, three of the organisations saw more improvements in their preparedness, which improved their overall CRI. Latin/South America saw a much bigger drop in CPI compared to their CTI, which caused their CRI to drop, meaning their risk increased.
Digging into each of the four regions, North America’s CRI came in just under zero at -0.01 with their CPI improving quite a bit from 4.07 to 5.35 (a higher CPI number means lower risk) and their CTI worsened just a bit from 5.34 to 5.36 (a higher CTI means higher risk).
Europe’s overall CRI improved from -0.22 to -0.15. Surprisingly, Europe’s preparedness was worse but their threat index improved more so overall their CRI improved.
Asia/Pacific saw their cyber risk improve from elevated risk level to moderate risk level at +0.20, which is a big improvement from the first half (-0.24 to +0.20). Their CPI showed a lower risk in second half going from 5.20 to 5.35 as did their CTI, reducing from 5.44 to 5.15.
Latin/South America’s risk worsened from first half to second going from +0.06 to -0.20 mostly due to a higher drop in CPI (5.45 to 4.94) than CTI (5.39 to 5.14) from the first half to second half.
This essentially means that businesses in Latin/South America were reportedly the least prepared to effectively stop or respond to cyber threats in the second half. Since businesses across all four regions seem to face equal levels of threats (based on the CTI), that left Latin/South America with the highest CRI overall. Asia/Pacific came in at a positive CRI level, which means they are more prepared than the other regions.
The Details of the 2H’2021 CRI
Let’s dig into the results a bit further to identify areas of greatest concern across regions.
1. Top five security risks
With the global Covid-19 pandemic continuing as well as many successful ransomware attacks and breaches occurring, it does appear that many organisations felt some areas of their preparedness may be more of a concern now than in the past. Below are the top five security risks around their infrastructure:
- Mobile/remote employees
- Cloud computing infrastructure and providers
- Across 3rd party applications
- Malicious insiders
- Mobile devices such as smart phones
The pandemic brought a major shift from working in office to working from home (WFH), and many organisations had to quickly figure out how to secure these employees. As seen above, this is the biggest concern from respondents and will likely continue. Similarly, businesses showed concerns about mobile devices which are being used more by employees to conduct business remotely.
We also saw an acceleration with cloud implementations during the pandemic and as such it’s not surprising this area of the infrastructure is of major concern. Both WFH and cloud implementations also mean a higher reliance on third-party applications being utilised, and respondents recognise this as a threat. Lastly, malicious insiders are a staple in this list and is one of the hardest areas to protect against for organisations.
2. Lack of preparation
Globally, respondents indicated the lowest number for preparedness out of all 31 questions in this area: My organisation’s IT security function supports security in the DevOps environment. As more organisations shift left to the cloud in support of rapid code development, it has become an area of real concern for securing this environment within an organisation.
3. Successful cyberattacks seem imminent
When asked about attacks in the past 12 months and future attacks for next year, the results don’t bode well for 2022. Globally, 84% experienced one or more successful attack, and 35% had seven or more successful attacks in the past 12 months. Additionally, 76% say it is somewhat to very likely they will have a successful attack in the next 12 months. Even though this was a 10% drop from the first half, this again appears to indicate organisations know they are not prepared enough to defend against new attacks.
Top global threats
The CRI is designed to help organisations understand where their highest risks lie and identify areas where they can improve their preparedness. We cannot change what the attackers will do in the future, but the CTI will continue to help us understand if attackers are being more aggressive. From the 1H’2021 to 2H’2021, the top threats globally are:
- Ransomware
- Phishing and social engineering
- Denial of service (DoS)
- Botnets
- Man-in-the-middle attack (MitM)
Ransomware was and will continue to be a major concern for everyone, so it is unsurprising this threat landed at number one. Phishing and social engineering is used in most attacks, mainly for the initial access into a network. One interesting threat is DoS, as we’re seeing some ransomware-as-a-service groups employ this in a multiple extortion attack. MitM attacks may be rising due to the perception that supply chain attacks (a form of MitM) are increasing.
Improving your cyber risk
The good news from the 2H’2021 CRI is that we are seeing organisations starting to understand that they need to improve their cyber risk, which is done through a process of improving their people, process, and technology (PPT) within their business. Since the CRI looks at all three of these areas, an improvement to the total CRI could be due to any one, or all, of these categories.
Based on the results, these are the areas of preparedness that need the most work to address the perceived areas of highest risk:
- My organisation’s IT security function supports security in the DevOps environment.
- My organisation’s IT security leader (CISO) has sufficient authority and resources to achieve a strong security posture.
- My organisation’s IT security function strictly enforces acts of non-compliance to security policies, standard operating procedures, and external requirements.
- My organisation’s IT security function can know the physical location of business-critical data assets and applications.
- My organisation’s IT security leader reports to senior leadership (such as the CEO, COO, or CIO).
- My organisation makes appropriate investments in leading-edged security technologies such as machine learning, automation, orchestration, analytics and/or artificial intelligence tools.
- My organisation spends considerable resources evaluating third-party security risks (including the cloud and the entire supply chain).
In order to address these concerns, CISOs and security leaders should look for a unified cybersecurity platform instead of investing in several disconnected point products across the enterprise. As we stated, the growing attack surface due to remote workers (more devices) as well as evolving threats means organisations need total visibility to better understand, communicate, and mitigate threats. This necessary visibility cannot come from disperse products, but rather a cybersecurity platform which correlates and consolidates deep threat data across the digital attack surface.
Consider a platform backed by continuous threat monitoring, risk insights, extended detection and response (XDR) and supports best approaches like Zero Trust. Broad integrations with third-party services like firewalls, SIEM, SOAR, etc., are equally important. All these features and capabilities will help reduce complexity for security teams, allowing them to investigate only the most critical threats. In turn, an organisation’s cyber risk is reduced, enabling business innovation.
Next steps
The CRI is ongoing, and we update it each year to show trends around organisations’ ability to prepare and withstand attacks.
Check the webpage for more details and assets and try our CRI calculator to assess your own organisation’s CRI against the current results: www.trendmicro.com/cyberrisk.