Organizations can use the NIST Cybersecurity Framework to assess their cybersecurity programs, but many may discover they have not done nearly enough to reduce the risk of cyber incidents. Recent research conducted by RSA suggests that three quarters of companies have a significant cybersecurity risk exposure and are ill prepared to prevent and deal with cybersecurity attacks.

This is the second year that the RSA Cybersecurity Poverty Index has been produced, and the second year running that 75% of organizations have shown that they face a high risk of cyber incidents occurring.

The research shows that organizations are investing heavily in perimeter defenses, yet a majority have under-developed incident response capabilities. “We need to change the way we are thinking about security, to focus on more than just prevention – to develop a strategy that emphasizes detection and response,” said Amit Yoran, CEO of RSA.

RSA suggests that organizations that invest more heavily in detection and response technologies are in a much better position to defend against cyberattacks than organizations that concentrate on perimeter defenses. However, more than half of the organizations that took part in this year’s study have virtually non-existent incident response capabilities.

The study revealed that the risk of cyber incidents is not particularly well understood by many organizations, and that it often takes a security incident that negatively impacts the business before organizations implement appropriate defenses to defend against cyberattacks. In many cases, businesses simply do not understand how cyber risk can affect their organization and it takes a major incident to make that crystal clear. Organizations that regularly deal with cyber security incidents have a much better understanding of the need to boost defenses, and of the technology needed to shore up security.

Too Little Being Done by the Majority to Address the Risk of Cyber Incidents

The number of organizations taking part in this year’s study more than doubled. Study participants numbered 878 this year, and came from 81 countries around the world.

While organizations are still exposed to a high risk of cyber incidents, this year’s data show that things are improving. Many organizations now have more mature capabilities. This year, 7.4% of respondents said their organizations had advantaged capabilities compared to only 4.9% last year.

45% of respondents said their ability to assess and mitigate cybersecurity risk was virtually non-existent. Only a quarter (24%) of respondents classed their organization as being mature in this area.

Interestingly, the financial service industry, which is believed by many to have relatively advanced cybersecurity protections, was not rated as highly as expected. Last year, 33% of organizations in the financial services industry rated their capabilities as developed or advantaged, while this year only 26% rated their capabilities as such. The aerospace and defense industries had the highest rated organizations in this area (39%) while government organizations and the energy industry rated capabilities the lowest (18%).

EMEA organizations had the highest level of overall maturity with 29% of respondents from these countries rating their capabilities as advantaged or developed. APJ organizations came second with 26%, while organizations in the Americas were lowest at 23%.