Cybersecurity 101: Ten KPI’s to Monitor

No alt text provided for this image

It’s no surprise that attackers are using more sophisticated techniques to target systems from personal devices to all sizes of businesses. Deloitte estimated that a low-end cyber-attack costing $34/month could return $25K while larger attacks costing a few thousand dollars could return as much as $1 million per month. IBM estimates the average cost of a data breach to a business as $3.86 million. To mitigate the harm caused by data breaches, you need to know what to monitor and why. Here are ten cybersecurity monitoring suggestions to protect networks, devices, and programs and information from attack, damage, and unauthorized access. 

Security Incidents and Impact

The number of reported incidents should be measured to stay aware of cyberattacks. Not every incident leads to a costly data breach. The first step is to calculate the threat percentage of major and minor incidents. Then the average cost of an incident can be determined. Once the numbers of how cybersecurity and data breaches are impacting the company are known, the big picture of annual loss expectancy can be discussed.

Annual Loss Expectancy = (Number of Incidents per Year) x (Potential Loss per Incident)

The annual loss expectancy can change, though, as data breaches and the costs of cleaning up a data breach rise, which requires adjustments to the calculation. Third-party tools can be helpful in detecting and monitoring all applications to see trends in incidents.

Number Security of Incidents

The number of both small and major security incidents is important to measure to remain informed of exploitation and set key performance indicator priorities. If you have the number of security incidents, it is possible to focus on the incidents that have the most significant financial impact on the company. Some hackers are targeting areas for a catastrophic loss. For example, the WannaCry attack is predicted by experts to have created $4 billion in damages, and hospitals were shut down during recovery. While the smaller incidents may not be catastrophic, the alert team should detect and disarm these threats before damage is done. Minor incidents typically include things like suspicious emails and activity on the server from hackers that may try to take down your website.

Time to Resolve an Incident

Time to resolve an incident is essential to measure to learn how the cyber team is performing and measure business impact. Time is money, and cybersecurity is no exception. A log should be kept documenting the time that the breach was first noticed until the final report. Third-party vendor tools can support the logging and interpretation of this time. Downtime can hurt a business from loss of sales to customer confidence. Server logs and hosting providers can help identify data, and traffic issues can provide insights into how much potential damage was caused by the hack. Both the mean-time-to-identify and the mean-time-to-respond should be measured as poor performance in these areas can be a contributor to breach costs. For US companies in 2017, the mean-time-to-contain was 208 days, and the mean-time-to-identify was 52 days.

Number of Systems with Known Vulnerabilities

Knowing the number of assets that have vulnerabilities helps determine the risk that the business could incur. While managing updates and patches can sometimes be complicated, it is vital to avoid loopholes that could be used by hackers. A vulnerability scan should be performed that includes all the assets that indicate what can be done to improve the security of the business.

Invalid Log-In Attempts

It is important to check system logs from time to time to see if anyone has tried to access your computer. It is good to have a system that monitors every attempt to login and tracks, whether it is successful or otherwise. It is good to monitor failed and locked on logon attempts for the entire domain. Software like ADAudit Plus, Netwrix Account Lockout Examiner, and Security Onion can help with these goals. Software like UserLock allows users granulated access restrictions by specific areas like workstation, device, IP, and range. They also can limit for concurrent sessions, enforce user logon times, use real-time user access monitoring, create alerts and rapid response to inappropriate login behavior, remove disconnection from sessions left open as well as report and audit all access events.

Number of Users with “Super User” Access

Employees should have an access level to company resources that are necessary for their work. Identifying the access levels of network users allows them to be adjusted as needed by blocking any super users that have access, but it is not required to perform their job.

Number of Communication Ports Open During a Period of Time

Generally speaking, it is standard to avoid allowing inbound traffic for NetBIOS. Also, businesses should be observant of outbound SSL since a session that stays active for an extended time could be an SSL VPN tunnel that allows bi-directional traffic. Any common ports for protocols that would enable remote sessions should be monitored for the length of time.

Frequency of Access to Critical Enterprise Systems by Third Parties

Managers may grant access to third parties on particular activities. It is critical to monitor whether the access is canceled at the end of the provided service. If this is not measured, there is a chance that the third party returns to extract data or carry out other hacks. And, if the third party’s network is hacked, it exposes the network to the same threat.

Percentage of Business Partners with Effective Cybersecurity Policies

Companies that provide services to your business cannot be overlooked. Providing access to environments to outsourced companies can post a risk if there are not effective cybersecurity policies in place. Your security practice is as strong as the third parties that are connected to your system.

Meeting Regulatory Requirements

It is essential to measure this because there are national regulatory requirements as it relates to cybersecurity incidents. If the business is naïve to understanding current regulations and requirements, it does not relieve the firm of liability and can result in fines as well as reputation costs. States like New York, for example, require financial service companies to hire a CISO responsible for risk mitigation. Data breaches also have requirements that are time-bound for businesses.

No alt text provided for this image

 Key performance indicators (KPIs) can help a company keep objectives at the forefront of decision making. This overview provided ten suggestions for measuring KPI’s that can help in mitigating risks by measuring your performance against your cybersecurity goals.

#Cybersecurity #Monitoring  #KPIs

About the Author

Shannon Block is an entrepreneur, mother and proud member of the global community. Her educational background includes a B.S. in Physics and B.S. in Applied Mathematics from George Washington University, M.S. in Physics from Tufts University and she is currently completing her Doctorate in Computer Science. She has been the CEO of both for-profit and non-profit organizations. Currently as Executive Director of Skillful Colorado, Shannon and her team are working to bring a future of skills to the future of work. With more than a decade of leadership experience, Shannon is a pragmatic and collaborative leader, adept at bringing people together to solve complex problems. She approaches issues holistically, helps her team think strategically about solutions and fosters a strong network of partners with a shared interest in finding scalable solutions. Prior to Skillful, Shannon served as CEO of the Denver Zoo, Rocky Mountain Cancer Centers, and World Forward Foundation. She is deeply engaged in the Colorado community and has served on multiple boards including the International Women’s Forum, the Regional Executive Committee of the Young Presidents’ Organization, Children’s Hospital Quality and Safety Board, Women’s Forum of Colorado, and the Colorado-based Presbyterian/St. Luke’s Community Advisory Council. Follow her on Twitter @ShannonBlock or connect with her on LinkedIn.

Visit for more on technology tools and trends.

Security Assessment versus Security Audit?

If you are a member of the Board and the topic of a cybersecurity audit comes up, it is important to define what it is and what it is not. Audits are often used to evaluate the effect of policies. While sometimes security audits and assessments are referred to interchangeably, they really are not the same thing.

An assessment is an evaluation that seeks information to better understand a specific situation (people, process, and technology) and make informed decisions as it relates to that specific situation. An audit, on the other hand, typically involves verifying the system against a holistic standard that results in a pass or fail outcome.

An audit often contains different assessments, with a combination of conceptual and technical reviews. A security audit might include conducting physical, access control, and vulnerability assessments. But, a security audit will also likely include evaluating design controls and processes, standard operating procedures, disaster recovery plans, as well as several other components.

No alt text provided for this image

Audits can be costly and, depending on the scope, may only provide broader insights into an organization’s cyber health. For example, cyber health could be defined in terms of the presence of controls. But, if what is really needed is to evaluate the effectiveness of those controls in mitigating risk? If the effectiveness of a control is desired, then asking more questions around specific assessments might be warranted. For example, the auditor may determine that the organization checks the box because a firewall is in place on company devices. But, if the firewall is not properly configured, then the firewall might not even work.

A formal audit is typically performed by an external third-party vendor that has no conflict-of-interest. It is not uncommon for larger companies to have internal audit teams running assessments throughout the year to protect the company, as well as better prepare for the external audit. A security audit is often a more systematic evaluation of the organization’s information system compared to an established set of criteria. Processes like ISO27000 provide important frameworks and details that have influenced both assessments and audits.

No alt text provided for this image

When trying to determine a company’s cybersecurity posture, there are a variety of different assurance actions that can be taken. Cybersecurity audits and assessments are helpful tools in assuring that policies have been applied and that there are enforceable controls in place to ensure the correct application of policy across the organization.

#Cybersecurity #VendorManagement #CyberAudits #CyberAssessments