I’m excited this year to share the most recent version of the Trend Micro Cyber Risk Index (CRI), which we started 3 years ago. This year we’ve added Europe and Asia-Pacific to the survey, bringing a truly global view of the cyber risk organizations are dealing with today.
If you aren’t familiar with the CRI, it is a collaborative effort between Trend Micro and the Ponemon Institute to survey respondents from businesses of all sizes. The CRI looks to identify the risk level organizations have based on two areas:
- Their ability to prepare for cyber attacks targeting them (cyber preparedness index)
- The current assessment of the threats targeting them (cyber threat index)
These two are used to calculate the overall cyber risk of an organization based on a -10 to +10 scale, whereas negative results represent a higher risk level.
The Global CRI
The current global cyber risk index is at -0.41, which is considered an elevated risk level.
Digging into each of the 3 main regions, the USA is at the highest risk level compared to Europe and Asia-Pacific. When I looked further into the details of these results, I found that the cyber preparedness was lowest in the USA and this caused their overall CRI to be highest. Surprisingly, the cyber threat index was pretty much the same across the three regions.
This essentially means that businesses in the US reportedly were the least prepared to effectively stop or respond to cyber threats. Since businesses across all three regions seem to face equal levels of threats (based on the cyber threat index), that left the US with the highest CRI overall.
Details from the Results
Let’s dig into the results a bit further to identify areas of greatest concern across regions.
1. With the global Covid-19 pandemic it does appear that many organizations felt their preparedness may be a key concern. Below are the four areas of most concern based on the respondents.
a. Organizational misalignment and complexity
b. Negligent insiders
c. Cloud computing infrastructure and providers
d. Shortage of qualified personnel
We’ve seen many organizations adopting cloud computing much faster this year due to the pandemic. While this is a helpful response to continue operating under the present circumstances, it can cause major disruptions as new technology and skills must be learned. Responses A, B & D above indicate this challenge.
2. Respondents stated they were underprepared to prevent and contain most cyber attacks, and completely unable to detect zero-day attacks. This was a key area of preparedness that caused the index to be at an elevated risk level.
3. In asking about attacks in the past 12 months and future attacks in next 12 months, the results don’t bode well for 2021. Globally, 76% had 1 or more successful attacks, and 23% had 7 or more successful attacks in the past 12 months. Additionally, 83% say it is somewhat to very likely they will have a successful attack in the next 12 months. This again appears to indicate organizations are not prepared enough to defend against new attacks.
The CRI is designed to help organizations understand where their highest risks lie and identify areas where they can improve their preparedness. We cannot change what the attackers will do in the future but the cyber threat index will continue to help us understand if attackers are being more aggressive.
For example, we’ve run the CRI 3 times now for the USA and the cyber threat index has stayed consistent, 5.22 in 2018, 5.5 in 2019, 5.22 in 2020. So, the biggest areas that can shift the CRI from a negative result to positive results (less risk) are in cyber preparedness.
Based on the results, these are the areas of preparedness that most need work to address the perceived areas of highest risk:
- Ensure the IT security leader (CISO) has sufficient authority and resources to achieve a strong security posture;
- Improve the organization’s ability to know the physical location of business-critical data assets and applications;
- Look to improve the organizational misalignment and complexity of its security infrastructure;
- Train and educate employees about cyber threats and ensure they view cybersecurity as a necessary part of their jobs;
- Adopt cloud computing infrastructure and work with the providers to secure it. Also, educate the staff charged with implementing these new technologies, so they are able do so securely;
- Improve the ability to detect and respond to new attacks, and deploy a more connected threat defense infrastructure that limits the number of security solutions and allows visibility across the entire attack lifecycle.
The CRI is ongoing, and we update it each year to show trends around the ability to prepare and withstand attacks. I’m looking forward to seeing how the global respondents may change their perceptions in the future.
Until then, enjoy this year’s CRI. Check the webpage to assess your own organization’s CRI against the current results: www.trendmicro.com/cyberrisk.