Get your ducks in a row – the Importance of KPIs in Quantifying your Cyber Security Setup

As awareness of the risks surrounding cyber-crime increases, many businesses are waking up to the urgent need to protect themselves online from malicious attackers. Enhanced employee training programmes and increased investment in software solutions can go some way to mitigating this threat, but without any way of quantifying your progress, it’s impossible to know how well your business’ online defences are holding up in the face of an ever-shifting threat landscape.

That’s why it’s so important to keep track of a few key metrics pertaining to the performance of your security awareness programme. By monitoring targeted key performance indicators (KPIs), you can gain valuable insight into how well the measures you put in place are working to repel cyber-attacks on your company. In turn, this can be used to improve training practices, demonstrate the tangible benefits of investment to decision-makers and measure the level of risk your company is exposed to compared to other organisations in the same industry.

Specificity is essential

Of course, depending on your business size, sector and orientation, the KPIs that are most relevant to you will vary greatly. For example, an SME with a small online presence will prioritise staying abreast of all and any attacks on their limited internet activities. On the other hand, a large multinational corporation may be subject to hundreds or even thousands of attacks on a daily basis, and so may be more interested in targeting a particular area of their cyber-security, such as internal user behaviour.

The trick is to identify a handful of KPIs which will have the most impact on how your organisation performs in the face of an increasingly hostile online world and evaluating your security setup based on those. Some commonly-used metrics which can give a clear and actionable insight into the effectiveness of your current modus operandi include:

• Employee awareness – By conducting an employee awareness survey, you can gauge the number of your workforce who are cognisant of and engage with existing security practices. This could take the form of an online questionnaire consisting of 20-30 questions to be taken at six-monthly intervals.
• Employee input – It’s one thing understanding the challenges posed by cyber-crime – it’s quite another implementing real policies and amending habits to make a tangible difference to your company’s online security. Asking employees – again on a biannual basis – what lessons they have learned, how their behaviour has changed and which areas still need to be addressed can help to improve your training programmes going forwards.
• Employee knowledge – So you’ve tested your employees’ awareness of the threats facing your business and heard their input… but how much of the information contained in your training have they retained? A quarterly test, containing targeted questions which specifically assess their knowledge of your security policies, can highlight areas where compliance may be compromised.
• Simulated phishing – By simulating phishing attacks which replicate the real thing, you can gain a better understanding of which departments and individuals are susceptible to clicking on suspicious links or opening unsolicited emails. This can help you to better target your training and over time, the number of employees falling prey to the simulation should decrease.
• Phishing flags – As well as steering clear of these simulated attacks, your employees should also be actively improving your overall security infrastructure by reporting suspicious emails when they recognise them. Viewing the number of red flags raised can inform you on how well-versed your staff are in dealing with phishing attacks, again allowing you to zone in on departments or individuals who can improve. This metric should increase over time.
• Password strength – It’s cyber security 101 – but the number of office workers who still don’t employ basic protocol when choosing a password (such as incorporating numbers and symbols or not reusing existing passwords) is sky high. By simulating a brute force attack on your employees’ passwords, you can determine who needs to rethink their login details and beef up the security chain, one link at a time.
• Desktop security – When five o’clock rolls around, many employees are more concerned about clocking out than logging off. A nightly visual check-up on who is following procedure will give you real-time awareness of which computers are being left vulnerable to outside (and internal) interference.
• Successful attacks – Perhaps the baseline metric, the number of successful attacks (and as a consequence, the number of infected computers) gives you an at-a-glance overview of how well your outfit is geared towards repelling cyber threats. In line with the training and improved behaviour mentioned above, this figure should decrease over time.

This is by no means an exhaustive list of all the metrics available to quantify your company’s security, but it is a quick rundown of some of the most commonly used ones. At Quorum Cyber, we have considerable experience in implementing and managing these KPIs and more, ensuring a robust security framework for our customers at all times.

Working closely with you, we can identify which metrics will best serve your company profile and tailor a security strategy geared towards boosting your infrastructure, delivering a bespoke service and results you can see and measure. To find out more about how we can help you to boost your company’s cyber defences, get in touch with us today.