IT teams have been tracking KPIs and developing procedures for tracking cybersecurity metrics for some time, yet too many organizations are in the dark when it comes to cybersecurity threats. Using KPIs can be extremely useful but using the right ones makes all the difference when addressing cybersecurity issues. Key Performance Indicators are quantifiable measures that are defined upstream to determine whether or not the organization is achieving its objectives. KPIs can change as the organization evolves, or when goals are achieved. Cybersecurity KPIs can track short-or long-term goals and are intended to measure the effectiveness of a companies’ security operations.
Small and medium-sized businesses (SMBs) are widely considered the backbone of the US economy. According to a Deloitte report published in 2017, there are 28.8 million SMBs in the US, representing 99.7% of all US businesses. These small and medium sized businesses are therefore a significant part of the overall business ecosystem and have grown significantly more vulnerable to cyber threats. In fact, according to a 2020 study published by Fundera, 60% of small businesses that are victims of a cyberattack go out of business within six months. On top of that, cybercrime costs small and medium businesses more than $2.2 million a year. Often, SMBs don’t have the immediate resources to implement complex cybersecurity programs.
Small companies are easy targets because they have small IT teams and usually have few resources to detect and respond to breaches. When a cyberattack occurs, it can be very difficult for small and medium-sized enterprises to protect their own resources. The right KPIs can help SMBs scale their cybersecurity program and justify the need for additional resources, whether in terms of people, tools or services. With KPIs, one can identify trends that may motivate changes in the cybersecurity program or processes. Without performance metrics, measuring cybersecurity performance is subjective and qualitative in nature. This may be acceptable to some organizations, but quantitative measures are less debatable. For example, if – based on KPIs – you can show that the resources spent on scanning vulnerabilities far exceed the cost of fixing a vulnerability before it is exploited, then make vulnerability vigilance a central part of your cybersecurity strategy.
There are many KPIs out there, but few are truly adapted to the unique circumstances of SMBs. Unfortunately, many cyber KPIs are meant for the larger businesses who have massively invested in cybersecurity. We’ve come up with a list of top cyber KPIs particularly useful to these businesses. The following KPIs can help to mitigate risks by measuring performance and are great ways to achieve your cybersecurity goals.
These KPIs can be divided into two categories: proactive and reactive. Proactive KPIs refer to behaviors adopted before an incident to mitigate the risk of it happening or minimizing the damage that can occur when it does. Reactive KPIs describe the actions taken by the team, or the implemented solutions, once a cyberattack has been detected. We’ll take a look at these different KPIs, from most basic to more complex.
1. Tracking the number of Cybersecurity Incidents
One of the most basic cybersecurity KPI is tracking the number of cybersecurity incidents and measuring the impact these attacks have on your organization. The threat environment and the number of reported incidents, whether they rise or fall, should be at the heart of cybersecurity KPIs for SMBs.
2. Mean Time to Detect
How long did it take to detect the incident? Detecting a breach rapidly can make all the difference in the world, especially for SMBs. According to IBM, the average time to identify a breach in 2020 was 220 days. This lengthy amount of time can cost businesses millions of dollars and can therefore lead to bankruptcy.
3. Mean Time to Respond
This KPI measures the average time it takes to control and remediate a cyber threat. This metric comes from a service management perspective and it assumes someone is alerting you to a problem like an outage – typically not the case for the smaller businesses. According to the SANS 2019 Incident Response survey, 52.5% of organizations had a mean time to respond of less than 24 hours, which means 47.5% took longer, likely including many SMBs who don’t necessarily have a full cybersecurity team. Just like the previously mentioned KPI – both the mean time to detect and to respond should be the focus of concern for SMBs.
4. Uptime / Downtime During an Incident
Downtime during a security incident can be extremely costly for small businesses. Consequences often include lost sales, loss of revenue and customer confidence. If sales were lost because of a cyberattack, SMBs should consider cross-referencing the volume of sales from their historical data to determine the seriousness of the attack, commercially speaking. Companies can also use metrics to measure how many leads or how much traffic they would normally get on a similar day, and compare it to the results during an incident with downtime.
Managing the impact of a data breach on customers can be difficult and cumbersome. KPIs like these can help measure the impact of a security incidents on customers. A data breach leads to several unwanted consequences for the consumer, which can mean life or death for small and midsize business.
5. Average Age of Vulnerabilities
This KPI shows the rate at which the IT team is addressing cyber hygiene issues. Good cyber hygiene, vulnerability and patch management should be a top priority for SMBs. This number reflects the effectiveness of an organization’s cybersecurity program.
6. Vulnerability Scan Coverage
In the long term, vulnerabilities can become very serious problems for any company. By tracking coverage of scanning against your inventory, SMBs can have confidence nothing is slipping through the cracks and know they are reducing cyber risks.
7. Phishing Failures
Phishing is a major threat for many types of businesses. According to Verizon’s 2020 DBIR report, phishing is the leading threat action for more than 30% of small organizations. Phishing tests are a great way to assess your employees’ ability to detect dangerous emails or messages. The success rate of these tests can act as a KPI and put a number on the cybersecurity awareness within a company. Understanding how many users fell victim to phishing attacks is very valuable data and will help SMBs do better.
Overall, using metrics and relevant cybersecurity KPIs can help businesses make smarter decisions when it comes to IT performance. Knowing how well your cybersecurity program is doing will lead to a better understanding of what you are spending your resources on. This is especially true for SMBs, who don’t have huge budgets. No matter the size of your business, CnSight —a lightweight and first of its kind solution— offers executive-level analytics and visualization on the effectiveness of your cyber program. Using automation, CnSight measures progress over time and monitors the effectiveness of your cyber program as you introduce changes to people, processes, and tools aimed at improving your security posture. In the long run, CnSight can help you do more with less.