In the first half of 2022 we ran the Trend Micro Cyber Risk Index (CRI) to gauge the shifts in how organizations viewed their cyber risk. We included North America, Europe, Asia-Pacific, and Latin/South America, giving us a truly global view of the cyber risk that organizations are dealing with today.
The CRI is the result of a collaborative effort between Trend Micro and the Ponemon Institute to survey respondents. In the first half of 2022 we surveyed over 4,100 businesses of all sizes globally. The CRI looks to identify the cyber risk level organizations have based on two areas:
- Their ability to prepare for cyber-attacks targeting them (cyber preparedness index - CPI)
- The current assessment of the threats targeting them (cyber threat index - CTI)
These are used to calculate the overall cyber risk of an organization based on a scale from -10 to +10, where negative results represent a higher risk level. Effectively we calculate the CRI by subtracting the CTI from the CPI (CRI = CPI – CTI).
The Global and Regional CRI
The current global cyber risk index is at -0.15, which is considered an elevated risk level. This is a slight increase in risk from the second half of 2021, when it was -0.04. Organizations in North America and Asia-Pacific saw an increase in their cyber risk from that period while Europe and Latin/South America’s risk decreased in comparison.
Digging into each of the four regions, North America’s CRI was the most elevated of the regions at -0.33. The region’s CPI worsened slightly from 5.35 to 5.30 (a lower CPI number means higher risk) and their CTI dropped from 5.36 to 5.63 (a higher CTI means higher risk).
Europe’s overall CRI improved very slightly from -0.15 to -0.12. Preparedness decreased, but their threat index improved further, leading to a better CRI.
Asia/Pacific saw their cyber risk move from moderate to elevated due to a significant decrease from the second half (+0.20 to -0.11). Their lower CRI was mainly due to a much higher threat risk: moving from 5.15 to 5.44.
Latin/South America’s risk improved slightly, decreasing from -0.20 to -0.03. This was mostly due to a marked improvement in their CPI (4.94 to 5.27) than CTI (5.14 to 5.30).
Essentially, this means that businesses in North America were the least prepared globally to effectively stop or respond to cyber threats in the first half of 2022. Since businesses across all four regions seem to face equal levels of risk (elevated cyber risk indices), this means they all need to improve in the future to ensure they can defend against the threats and malicious actors targeting them.
The Details of the 1H’2022 CRI
This infographic shares many of the details found in the latest CRI survey. See the infographic here.
Let’s investigate some of the responses to risks in people, processes and technology we found.
Based on the results, these are the areas of preparedness that most need work to address the areas of highest risk, meaning these questions were answered with the lowest scores (highest risk):
- My organization’s senior leadership views security as a competitive advantage.
- My organization’s CEO and Board of Directors are actively involved in overseeing the IT security function.
- My organization’s IT security leader (CISO) has sufficient authority and resources to achieve a strong security posture.
- My organization spends considerable resources to recruit and retain IT security personnel.
- My organization is actively involved in threat sharing with other companies and government.
- My organization’s IT security objectives are aligned with business objectives.
- My organization’s IT security function is quick to test and install all security patches.
- My organization’s IT security function has the ability to know the physical location of business-critical data assets and applications.
- My organization’s IT security function has the ability to unleash countermeasures (such as honeypots) to gain intelligence about the attacker.
- My organization makes appropriate investments in leading-edged security technologies such as machine learning, automation, orchestration, analytics and/or artificial intelligence tools.
The number of breaches organizations suffered in the last 12 months, as well as the likelihood of a breach occurring in the next 12 months, have all increased since the 2H’2021 survey.
The CRI is ongoing, and we update it twice a year to show trends in the ability to prepare for and withstand attacks. I’m looking forward to seeing how global respondents change their perceptions in the future.
Until then, enjoy the 1H’2022 CRI results and if you want more information about how the survey is conducted, check out the methodology here.