Do Your Business KPIs Include Cyber Security Metrics?

If not, they should. When it comes to running a small business and managing IT costs, tracking the right metrics and benchmarking your IT is the key to driving efficiency and productivity. Using data like cybersecurity metrics, you can make more intelligent decisions about your IT performance and find better ways to manage costs while growing your business and giving your staff the technology (and tech-contingency awareness) they need.

Why Should You Track IT Benchmarking Metrics?

Your IT is critical to the growth and performance of your business. Tracking IT benchmarking metrics, therefore, is an important part of the IT activities that are working (or aren’t working) so that you can continuously improve.

Specifically, tracking IT benchmarking metrics as part of your small business performance KPIs will help you:

• Understand if you’ve got the right hardware or software for your needs;
• Identify opportunities for cost-savings or efficiency gains;
• Analyze whether your customer support efforts could be improved; or
• Evaluate whether you need to outsource IT support or get an IT business partner.

Beyond performance, measuring your IT department’s contribution to your business is a positive step towards raising its profile with your stakeholders and in the boardroom. With a handful of metrics at your disposal, you can demonstrate to anyone – potential investors, clients, and other stakeholders – exactly what the IT brings to the business, and lay the groundwork for increased IT investment or a new IT strategy.

Your IT benchmarking metrics should be easy to collect, and they should align with your broader business goals. There is no point in tracking something that doesn’t benefit the entire business, relates to a single event, or that you can’t use to paint a picture of how the business is performing overall.

Most Companies Fail at Cyber Security Metrics 

With over 400 global business and security executives participating in a benchmark survey called The 2017 State Of Cybersecurity Metrics Annual Report, more than half of respondents scored an “F” or “D” grade when evaluating their efforts to measure their cybersecurity investments and performance against best practices.

Based on internationally accepted standards for security embodied in ISO 27001, as well as best practices from industry experts and professional associations, the Security Measurement Index benchmark survey provides a comprehensive way to define how well an organization is measuring the effectiveness of its IT security.

Findings from this Cyber Security Metrics survey include:

Failures in planning

• 1 in 3 companies invests in cybersecurity technologies without any way to measure their value or effectiveness.
• 4 out of 5 fail to include business stakeholders in cybersecurity investment decisions.
• 4 out 5 companies don’t know where their sensitive data is located, and how to secure it.

Failures in performance

• 2 out of 3 companies don’t fully measure whether their disaster recovery will work as planned.
• 4 out of 5 never measure the success of security training investments.
• While 80% of breaches involve stolen or weak credentials* 60% of companies still do not adequately protect privileged accounts—their keys to the kingdom.

In general:

• 58 percent of companies are failing in their efforts to measure the effectiveness of their cybersecurity investments and performance against best practices.
• 4 out of 5 companies worldwide are not fully satisfied with their cybersecurity metrics.

Most survey respondents do not feel confident about how they are measuring the value of their cybersecurity investments, and 80% stated that they are not fully satisfied with the metrics available.

As a Complement to Cyber Security Metrics

Here are some other valuable IT benchmarking metrics that we recommend tracking along with your cyber security metrics:

• The number of Service Disruptions. This is how many times in a defined period your IT services disrupted, down or otherwise unavailable. You can compare this metric with variation in income, new customer acquisition or productivity to evaluate the impact of downtime on your business.
• IT overhead costs. How much is your IT department costing you? This includes staffing, licenses, hardware and anything under the umbrella of IT. Use this metric as a gateway to identifying opportunities to cut costs, or as a way to start analyzing your capital expenditure vs. operational expenditure
• Hours worked per process. Identify some key business processes and track how many hours you and your staff spend on them. Think timesheets, reporting or preparing presentations. Finding out how much time goes through each process can help you identify opportunities for efficiency gains, and opens up a conversation about which processes and systems are working, and which ones aren’t.
• Operating productivity. IT issues can slow people down and be a drain on productivity. To analyze the impact of IT on operation productivity, take the number of people on your team and divide it by the number of IT support issues raised or calls made. If the result seems high, you may need to invest in some employee training, better software or hardware upgrades.
• Average speed answered. Again, IT issues slow people down – especially if they go unsolved for a long time. Find out how quickly you’re resolving IT issues by looking at the average time it takes to get IT support.
• Average call duration. If calls to your IT support are short, then your support team is efficient in resolving issues and the caller’s productivity interruption is minimal. If they’re long, then you may be understaffed or you may have some more serious problems with your IT that warrant more than over-the-phone troubleshooting. Help from an IT business partner may be in order.

You may think your business doesn’t need a formal, documented IT security policy based on cogent cybersecurity metrics. After all, documentation and worrying about information security is just for big unwieldy mega-corporations, right?

Wrong.

Let’s take a look at some findings from the UK government’s Cyber Security Breaches Survey 2017. According to the survey, 45 percent of small businesses have experienced cybersecurity breaches and attacks in the last 12 months, and the average cost of these breaches is $1,837 USD.

But, that’s generally just for starters. Take a look at the actual statistics on the average cost of a serious, downtime-causing data breach for some sobering reflection.

And, despite all this:

• Only 32 percent of small businesses have cybersecurity measures and formal policies in place (compared to 61 percent of large firms);
• Just 19 percent of small businesses provide cybersecurity training for staff; and
• Small businesses are less likely than large firms to seek guidance, information or advice on cybersecurity concerns.

Whether your business is big or small, IT security breaches aren’t an ‘if’ but a ‘when’. That means your business can no longer afford not to secure itself with a policy, at the very least.

Why, though? What does a strong IT and cybersecurity policy actually do for your company?

As we will show…quite a lot.

#1. It Refines Your Security Practices

When it comes to security, stabs in the dark or speculation are not enough. Your business needs a carefully crafted, written security policy because it will better organize and regulate your security processes. (Krantz can help you here.)

#2. It Empowers You, Office-Wide.

Does your entire staff know how to choose a strong password? Do they know how to detect a phishing scam? Do they know what warning signs to look for on a compromised website? Can you be sure of that?

The cyber attacker’s toolkit contains scams that deliberately try to trick your less tech-savvy employees. Give those employees written guidelines and they’ll be informed and ready to face the threats your business faces. (Krantz provides security awareness training that can and will help here.)

#3. It Minimizes Downtime.

If an attacker manages to breach your business, you’ll have a written plan ready and in place that can address it. Your team will know who to alert, how to respond and how to minimize any disruptions their colleagues might face with our complete network security defenses.

#4. It Helps You Stay Compliant.

If you want to avoid fines and business setbacks, you need to pay attention to regulations like the new General Data Protection Regulation (GDPR).  Use your cybersecurity metrics and IT security policy to nail down the specifics of these regulations; then, outline your requirements, set out how you’ll fulfill them, and guarantee your business’s ongoing compliance.

This focus on compliance will also help in securing business. Big clients like assurances that you comply with regulation and have processes for securing their data; your policy will show that.

Let Krantz Help You Implement Strong Cyber Security Metrics and Policies

Businesses across the industry spectrum turn to Krantz Secure Technologies for managed IT security services in New York City that include stronger cybersecurity metrics and policies as part of their KPIs, so give us a call right away at (212) 286-0325 or send an email to Sales@KrantzSecure.com to get started.