Six Degrees of Cyber Security Benchmarking in 2022

68% of organisation leaders believe that cyber security risks are on the rise and becoming increasingly difficult to manage. What’s more, the cost of failure continues to rise. In the UK, the average data breach now costs around $3.9 million, an increase of 4%.

Cyber security benchmarking is critical to understanding how your investments stack up against industry standards, and how well you are protected from risk. At Six Degrees, we take benchmarking seriously and have built benchmarking capabilities into our Cyber Security Maturity and Benchmarking Service, Aegis.

Here, we are going to look at six factors that we focus on to deliver benchmarking for our customers, helping you better understand your security system. The question is, what exactly should cyber security benchmarking take into account in 2021 and beyond?

Suggested reading: Benchmarking will let you understand your vulnerabilities, but you still need the support of the board to make new investments. For help on how to ensure that support, check out our free resource — The Board Presentation Template: Cyber Security and Threat Management Toolkit.

1. Compliance and Accreditations

Personal data was involved in 58% of breaches in 2020. Compliance and accreditation standards such as GDPR and UKAS in Europe are part of standardising how organisations need to go about protecting the personal data they store. Failure to meet these standards leaves organisations open to legal action, in addition to other negative consequences of a breach.  

Critical factors to take into account

Remaining compliant is one of the more straightforward components of benchmarking. You cannot guarantee safety, but you can understand the legal requirements and compare them against your own cyber security practices. It’s important to understand the types of data you’re dealing with, any existing industry norms or expectations, and any location-specific regulations that you need to adhere to.

How to improve

  1. Compliance-specific training: You need to train staff to act in adherence with the law.
  2. Expert knowledge: Maintain a knowledge-store of the latest regulatory and compliance information. 
  3. Regular data assessments: Carry out regular assessments of the data you capture and how that data is being managed to ensure it aligns with regulatory best-practice. 

2. Technical Compliance

Knowing what you should be doing to protect sensitive data is only half the battle — the next step is aligning what you’re doing with technical compliance regulations. It’s crucial that your cyber security measures consist of the necessary technical components, and that your team is equipped to deploy, monitor and update them efficiently. After all, even a well-trained, high-quality security team is going to struggle to protect a technical infrastructure that invites hackers right in. 

Critical factors to take into account

In a general sense, benchmarking technical compliance means accounting for every aspect of an organisation’s IT approach. You need to make sure you have the technical components of your security system in working order. That means firewalls, monitoring/visibility capabilities, disaster recovery and backup, along with authentication procedures. So you need to consider the key related factors such as:

  • Software: What applications you use within your organisation and how they impact your security profile and capabilities.  
  • Authentication: How you identify users and provide access while remaining in control of your system. 
  • Third-party access: How you expand access to applications and data to users outside of your organisation while remaining safe. 

Pro tip: MDR (Managed Detection and Response) services are a particularly flexible, accessible and robust way to expand access to your business applications and data, while still remaining secure. Discover more by reading What is MDR?

Check out our guide on Planning For the Future of Cyber Security Today if you want to learn more. 

How to improve

  • Regular software updates: Out of date software can leave you vulnerable to attack. Ensuring that the systems you use are continuously updated is an important part of cyber hygiene best practices.  
  • In-depth IT audits: Self-reflection is crucial. You need to have a good understanding of what your IT system looks like from a cyber security perspective — regular, thorough IT audits can achieve that for you. 
  • Improved authentication processes: Ensuring that your ability to provide access to your system takes into account remote access is more important now than ever. Check out our blog about mobile device management for more details.

3. Transformation and Maturity

Cyber security is a journey, not a destination. In an ever-maturing risk landscape, it’s critical to build adaptable solutions at all times. Specifically, this past year has seen increases in clone phishing and individually-led DDoS attacks that existing infrastructures simply aren’t poised to deal with. Luckily, a focus on transformation and maturity can help to address even new risks as they arise.

Critical factors to take into account

Fixed security processes have never been fit for purpose. It’s important to have agile and robust cyber security measures in place that will enable you to take a defence-in-depth approach to maintaining secure outcomes. Benchmarking is a great way to root out where your security measures are falling short, so that you are in the best position to tailor reactive, repeatable and measurable optimisations of your security measures. Factors to consider include:  

  • Automated processes: Human error is a significant contributor to cyber breaches. The more you can automate best practices, the fewer risks you will face.  
  • Integrated security: It’s important that your entire system works together. For example, if you’re heavily embedded in the Microsoft ecosystem, using a solution like Microsoft Defender for Endpoint can help ensure the best possible outcomes. 
  • Deliver ongoing monitoring: You need the ability to respond to threats in real-time, and that’s only possible if you’re monitoring your system — either yourself, or with the aid of an MDR partner.   
  • Provide continual cyber security improvements: It’s critical to maintain an active cyber security posture, always looking out for new threats and finding new ways to respond.  

Fundamentally, active monitoring and response capabilities are critical components of your cyber security readiness. Again, Managed Detection and Response (MDR) is a great choice here. A strategic partnership will allow you to sidestep the cyber security skills shortage and access economies of scale that more efficiently deliver the kind of on-demand monitoring and response capabilities you need.

How to improve

  • Centralised cyber security: Consolidating visibility over your cyber security system will give you more control over the intricacies of implementing cyber security protocols.
  • Adaptability: Being able to be flexible when problems arise is crucial to effective cyber security. 
  • IT assessments: You need to monitor your cyber security capabilities and become aware of any potential threats. 
  • Real-time updates: Allow your organisation to stay current with its cyber security measures and catch threats early if they arise. 

Further reading: Staying up to date on risks is critical. Check out our blog Cybercrime Trends 2021: How to Prepare for the Updated Risk Landscape 

4. Events, Alerts, and Threat Intelligence

You need to understand the risks you face and the state of your system. A lack of awareness can cripple your ability to respond and will fundamentally impact the type of solutions you invest in. One troubling statistic is that it took companies an average of 207 days to recognise breaches during 2020. 

However, simply understanding your own system isn’t good enough. New and sometimes hard-to-spot risks arise daily, and organisations need to keep their fingers on the pulse with regards to what they know about the threats they face, and how they directly respond to threats that do manage to breach their defences. 

Critical factors to consider

Particularly in the context of BYOD and remote working, organisations struggle to maintain visibility over their systems, and gain a comprehensive understanding of the risks they face. With more devices and more applications being used, threat intelligence requires taking a broader view of the situation — rather than simply focusing on the vulnerabilities of your on-premises solutions. It’s also more difficult to gain visibility over threats in real-time. 

Again, MDR can be a critical component of delivering an effective and responsive alert system that will let you respond to threats before they become a breach. This is particularly true when partnered with automated endpoint security systems that focus on monitoring and controlling communication between devices and your system as a whole. This makes it far more possible to engage with remote access and BYOD without compromising security outcomes. 

How to improve

  1. Interconnected solutions: Use integrated tools with knowledge-share capacity so administrative tasks around collating information are avoided. 
  2. Expert insight: Keep up-to-date with the latest innovations within the cyber security industry — and implement them within your strategy. 
  3. Automated alerts: You need automated notifications of any suspicious activity in order to minimise malicious activity and respond quickly. 
  4. Improved training: Implement effective and informative training so all members of staff are aware of the latest best practices in compliance and cyber security.

Further reading: For more information on how to master the unknowns of cyber security, check out our blog — Cyber Threat Intelligence Update for 2021 

5. Governance and Policy

By making it clear who can do what within your organisation, you not only ensure that you’re taking protective measures in-house, but also that you minimise risk, and make breaches easier to identify at their source if they do arise. It’s essential to keep everyone on the same cyber security page, and your approach to governance is critical to making this outcome a reality. 

Critical factors to consider

Organisations can choose between either formal or informal governance and policy implementations, and this decision largely comes down to factors such as the size of an organisation or the resources available. In practical terms, benchmarking the ideal approach for your organisation means determining: 

  • The security decisions that need to be made: What investments are required and how you should respond to risk. 
  • The people who will make them: Who is responsible for different aspects of your cyber security system, and how do you get the resources required to make the investments needed.  
  • The information required to make those choices: How are you collecting information about vulnerabilities, capabilities and threats.  

How to improve

  • Data oversight: You need to monitor the totality of your data across your organisation in order to truly understand what’s at stake and how you should best respond.
  • Regularly updated policies: Stay up-to-date with the optimisations and updates on policy; this means implementing the changes as well as being aware of them. 
  • Clear demarcation of responsibility: Determining ownership over tasks is important to ensuring actions are taken and updates are made. You need to avoid a situation in which multiple people believe others are responsible for a task that no one is paying attention to. 

6. Appetite for Risk

We’ve benchmarked active ways to reduce risks. However, risk appetite, outlined within a risk assessment, is also a fundamental part of your security journey. After all, it isn’t possible to avoid all risks. Cyber security is about making targeted investments and compromises that align your willingness to accept risk with a realistic understanding of the risks you face. 

For instance, many organisations consider BYOD to be a worthwhile risk — enabling greater flexibility and reducing equipment costs, while accepting the fact that it increases their exposure to a breach. However, organisations with higher risk profiles and a limited risk appetite may legitimately view this as an unnecessary risk that should be avoided. It simply comes down to your priorities.  

Critical factors to consider

There is no right or wrong answer to risk appetite. Realistically, most components of cyber security benchmarking are unique to the organisation at hand. But this is doubly true when it comes to what risks you are willing to accept and those which you are not. However, important factors to consider include: 

  • Your organisational values: Whether or not you’re a conservative or progressive organisation will have a large impact on whether or not you prioritise flexibility vs security. 
  • Your overall organisational strategy: Maintaining an existing market or position generally enables a more conservative mindset. Whereas, challengers or startups are often required to accept risk in order to succeed.   
  • Your stakeholder’s appetites: Investors, customers and board members all need to be taken into consideration. The reaction of critical stakeholders to a breach needs to be understood when calculating risk acceptance. 
  • Your capacity for risk: Understanding the fines, losses, legal risks and more that you are exposing yourself to, along with your ability to accommodate these losses, allows you to understand the true consequences of the risks you’re accepting or rejecting. 

How to improve

  • Regular risk assessments: This is part of a wider cyber journey that requires assessing risk, but it also means developing solutions, testing outcomes and monitoring progress in a continuous feed-back loop.
  • Improved communication with stakeholders/partners: Maintain regular and informative contact with the relevant stakeholders so they can trust in your cyber security measures too, and understand the risks being accepted.  
  • Resource alignment: Ensure that the resources you provide are synchronised and up-to-date with consistent information. 
  • Risk prioritisation: Identify potential risks, measure them against a scale (sometimes severity or frequency), and prioritise those that pose more of a threat to your organisation. 

Benchmarking Experts Can Help

The risk landscape continues to change at ever faster rates. Organisations can’t afford to sit back and assume that security will take care of itself. Rather, regular assessments are fundamental to ensure up-to-date, inclusive security processes that are 100% suited to your organisation.

Benchmarking is the best way to do that, ensuring not only that you understand where your security stands, but also how that compares to what everyone else is doing. This can lead to in-house improvements and the board reporting that you need to keep stakeholders on-side right now. 

At Six Degrees, we ensure that benchmarking is a seamless and secure process that takes into account industry best practices and high standards. Aegis, as deployed by our team, is a Cyber Security Maturity (CSM) service with a difference — using single-repository, clearly defined, organisation-metric dashboards to better understand everything from:

  • Your organisation’s security posture
  • Your risk treatment plan
  • Your implemented improvements
  • The impact of your security investments

What’s more, our team is on hand to ensure you can make improvements that could well see you become the benchmark that other organisations long to live up to. Get in touch and talk to an expert if you want to understand how these different benchmarks apply to your specifics, and start building your future cyber security solution today.

Subscribe to the newsletter today

Related posts