Safe Security has made available a free cybersecurity benchmarking tool for predicting cyberattack risk within vertical industry segments and can be tuned by organizations to better assess their own chances of being attacked.
Saket Modi, Safe Security CEO, said the CRQ Calculator combines cybersecurity threat intelligence and telemetry data it collects to ascertain attack costs with metadata collected from primary sources, such as reports published by the Securities and Exchange Commission (SEC) and insurance claims, that is accessible via application programming interfaces (APIs).
That data uses Bayes’ theorem to generate reports for specific vertical industries that determine, for example, that the probability of a health care company falling victim to a successful cyberattack is 25% compared to 20% for a financial services company. Industries such as manufacturing and retail face less than a 15% probability of a successful cyberattack.
The overall goal is to give organizations a better appreciation for the actual level of risk they face so they can make better cybersecurity investment decisions based on business context, noted Modi. That’s become more critical as a downturn in the overall global economy forces more organizations to reduce costs, he noted.
While there is a greater appreciation for cybersecurity than ever, many organizations are struggling to determine what level of spending is required to mitigate the threats they face. Before those assessments can be made there is a need to determine the actual level of threat to a vertical industry.
Spending on cybersecurity as a percentage of the overall IT budget has certainly increased in recent years. However, cybersecurity leaders are being asked more often to determine some level of return on investment (ROI) for that spending. Ultimately, the goal is to determine what level of spending makes sense based on what similar organizations are spending.
Of course, there is no correlation between spending and the level of cybersecurity attained. While the volume and sophistication of attacks have increased, most of the cybersecurity issues organizations encounter can be traced back to human error. Most organizations would dramatically improve their overall cybersecurity simply by focusing on fundamental processes that, in many cases, would eliminate the number of misconfigurations that cybercriminals can potentially exploit, for example.
At the same time, the number of attack surfaces that need to be defended continues to increase, so there does need to be some corresponding increase in cybersecurity. Most of the cyberattacks being launched are fairly rudimentary; cybercriminals don’t see the need to invest more time and effort when it’s relatively simple for them to compromise credentials and gain unfettered access to an IT environment.
Organizations can’t stop these attacks from being launched, but the hope is that by making it more difficult for cybercriminals to succeed they will concentrate their efforts elsewhere. Ultimately, if enough organizations improve their cybersecurity posture, the cost of launching attacks might one day become cost-prohibitive for attackers.
Unfortunately, organizations are a long way from achieving that goal. At the very least, organizations should have a better understanding of how much they need to spend on cybersecurity today as they look to continuously improve cybersecurity in the months and years ahead.