Continuing our support to bring information that can help organizations minimize their risk of a cyber-attack, we’re pleased to share the most recent version of the Trend Micro Cyber Risk Index (CRI). Going into our fourth year running this survey, we added Latin/South America region to the list of regional data. This round now includes North America, Europe, Asia-Pacific and Latin/South America to the survey, bringing a truly global view of the cyber risk organizations are dealing with today.
The CRI is a collaborative effort between Trend Micro and the Ponemon Institute to survey respondents from businesses of all sizes and within many industries. The CRI looks to identify the cyber risk level organizations have based on two areas:
1. Their ability to prepare for cyber-attacks targeting them (cyber preparedness index – CPI)
2. The current assessment of the threats targeting them (cyber threat index – CTI)
These two are used to calculate the overall cyber risk of an organization based on a -10 to +10 scale, where negative results represent a higher risk level.
The Global CRI
The current global cyber risk index is at -0.42, which is considered an elevated risk level and is a slightly lower number from 2020. Latin/South America came in at a lower risk level that caused the index to decrease only slightly, but if we take them out of the calculation and look at the number from the other three regions, the index would have been at -0.58, .17 points lower than in 2020.
Digging into each of the 4 regions, N. America is at the highest risk level compared to the other three regions. When I looked further into the details of these results, I found that the cyber preparedness was lowest in N. America and this caused their overall CRI to be at the highest risk level. Surprisingly, the cyber threat index was pretty much the same across the four regions, but all were at an elevated risk level for this component.
This essentially means that businesses in N. America reportedly were the least prepared to effectively stop or respond to cyber threats. Since businesses across all four regions seem to face equal levels of threats (based on the cyber threat index), that left N. America with the highest CRI overall. Latin/South America came in at a positive CRI level, which has never been seen before and was mainly due to their CPI being higher (meaning more prepared than the other regions).
The Details of the 1H’2021 CRI
Let’s dig into the results a bit further to identify areas of greatest concern across regions.
1. With the global Covid-19 pandemic continuing, and seeing many successful ransomware attacks and breaches, it does appear that many organizations felt their preparedness may be more of a concern now than in the past. Below are the top five security risks around their infrastructure:
a. Organizational misalignment and complexity
b. Desktop or laptop computers
c. Cloud computing infrastructure and providers
d. DNS server environment
e. IOT devices and applications
Organizations continue to be challenged with the complexity of their infrastructures, with cloud implementations and IOT being adopted. This year, it may not be surprising to see (b) above based on the number of successful attacks targeting these computers. The DNS environment is new to this list and may show concerns over successful attackers targeting this area of their networks.
2. Globally, respondents answered the following question with the lowest number for preparedness out of all 31 questions in this area: My organization’s IT security function is able to prevent most cyber-attacks. This was a key area of preparedness that caused the index to be at an elevated risk level.
3. In asking about attacks in the past 12 months and future attacks in next 12 months, the results don’t bode well for 2H’2021. Globally, 81% had 1 or more successful attacks, and 24% had 7 or more successful attacks in the past 12 months. Additionally, 86% say it is somewhat to very likely they will have a successful attack in the next 12 months. This again appears to indicate organizations know they are not prepared enough to defend against new attacks.
The CRI is designed to help organizations understand where their highest risks lie and identify areas where they can improve their preparedness. We cannot change what the attackers will do in the future, but the cyber threat index will continue to help us understand if attackers are being more aggressive. From 2020 to 1H’2021, the three numbers in #3 above all increased, indicating that attackers are likely becoming more aggressive.
For example, we’ve run the CRI 4 times now for N. America and the cyber threat index has stayed consistent, 5.22 in 2018, 5.5 in 2019, 5.22 in 2020 and 5.35 in 1H’2021. So, the biggest areas that can shift the CRI from a negative result to positive results (less risk) are in cyber preparedness which has unfortunately been falling for the past 3 years, 5.34 in 2019, 4.14 in 202, and 4.07 in 1H’2021. Note, a lower CPI means higher risk level.
Based on the results, these are the areas of preparedness that most need work to address the perceived areas of highest risk:
- Ensure the IT security leader (CISO) has sufficient authority and resources to achieve a strong security posture.
- Improve the organization’s ability to know the physical location of business-critical data assets and applications.
- Look to improve the organizational misalignment and complexity of its security infrastructure.
- Train and educate employees about cyber threats and ensure they view cybersecurity as a necessary part of their jobs.
- Adopt cloud computing infrastructure and work with the providers to secure it. Also, educate the staff charged with implementing these new technologies, so they are able do so securely.
- Improve the ability to detect and respond to new attacks and deploy a more connected threat defense infrastructure that limits the number of security solutions and allows visibility across the entire attack lifecycle.
- Look for ways to improve threat sharing and collaboration with other organizations and governments.
The CRI is ongoing, and we update it each year to show trends around the ability to prepare and withstand attacks. I’m looking forward to seeing how the global respondents may change their perceptions in the future.
Until then, enjoy the 1H’2021 CRI results. Check the webpage for more details and assets and to assess your own organization’s CRI against the current results: www.trendmicro.com/cyberrisk.