Trend Micro and the Ponemon Institute teamed up to produce a new Cyber Risk Index (CRI), which will be updated every six months. Today I want to dive a bit deeper into the results found in the inaugural survey that went out to more than 1,000 IT professionals and executives within organizations based in the USA. I also want to identify some differences between the responses given by the different sized organizations, broken out by small, medium, and enterprise.
Before we go into these details, I want to simply explain how the CRI was calculated. The CRI is made up of two components, the Cyber Preparedness Index (how prepared are you to combat threats) and the Cyber Threat Index (your experience dealing with threats). The formula is as follows:
CRI = CPI – CTI
The CRI is on a -10 to +10 scale with -10 being the highest risk. Below are the results based on organization size.
The results seem to line up with what most would expect – small businesses have the highest cyber risk, medium businesses with less cyber risk and enterprises having the least cyber risk based on the factors that make up the index. Let’s now look at some of the more detailed results from the survey.
Key Survey Results
The top risk reported for cyber preparedness was interesting, as small business and enterprise respondents face the same primary concern:
Small business & Enterprise: My organization’s IT security function has the ability to know the physical location of business-critical data assets and applications.
Medium business: My organization’s enabling security technologies are sufficient to protect data assets and IT infrastructure.
To some extent, this primary risk may not be surprising. In a small business, there isn’t usually a lot of IT function and in an enterprise, the network tends to be very big and broad so knowing where these assets are physically located can be a difficult task. On the other hand, the medium-sized businesses may not have sufficient budget to allow them to afford some of the key components that make up a very secure environment.
On the other end of the CRI – the Cyber Threat Index – we reaffirm that threats are universal. Businesses of all sizes are dealing with cyber threats every day. Here are some of the most interesting takeaways from the survey:
As you see above, it is almost inevitable that an attack will occur in the next 12 months and that it will be successful. These responses show why all organizations have a high cyber threat environment today.
The intent of the CRI is to give organizations an understanding of their risk levels and insights into many areas of their security posture. From the results, they can make changes to their security infrastructure, policies, and educating their employees and board members to help minimize their risk in the future. As we continue to run the CRI survey every six months, we hope to see gradual improvement in the results.
Stay tuned for more insights from the survey in future blogs. If you want to check out the current results and take a mini version of the survey, go to our landing page here.