Most companies hit by more than one major cyberattack in the past two years

(Image credit: Image source: Shutterstock/Ai825)

Almost two in three businesses have suffered two or more business-disrupting cyberevents in the past 24 months. 

A report by Tenable describes a ‘business-disrupting cyberevent’ as a data breach or ‘significant disruption and downtime’ to business operations, plant and operational equipment. In the same period of 24 months, almost all businesses suffered at least one such event.

Still, many companies do not measure how much these events cost them. Consequently, they lack understanding, so organisations can’t make risk-based business decisions backed by actual figures. At the end, the C-suite ends up lacking actionable insights.

Even those that do track the business costs of a cyberevent aren’t confident that these metrics are accurate, and believe they are making key decisions without critical information. That information includes things like the cost of IP theft, loss of revenue, or loss of productivity.

But it’s not just that they don’t track data breaches – they also don’t track their attack surface. The report argues that the computing environment in an average organisation is getting more and more complex, making it increasingly difficult to keep an eye on the entire attack surface at all times.

This is further exacerbated by the fact that many organisations lack adequate staffing.

“The tools and approaches organisations are using fail to provide the visibility and focus required to manage, measure and reduce cyber risk in the digital era,” the report concludes.

“In today’s digital economy, cyber risk equates to business risk. It’s shocking to learn that organisations are suffering business-impacting cyber events yet are struggling to accurately measure the resulting financial cost,” said Bob Huber, CSO, Tenable.  “This study powerfully highlights that most organisations have not implemented security metrics that reflect cybersecurity’s role as a core business function. CISOs need reliable metrics to help them make educated decisions on the allocation of resources, investments in technology and the prioritisation of threats.”

Image source: Shutterstock/Ai825